Are any of you folks using Static Analysis tools of any flavour or perhaps relying on "Code Reviews" as as AppSec stop-gap?  If so, I'd like to hear your thoughts on it... how it's deployed, used, who decides on remediation, etc., etc.

If you're using AppScan or Fortify, I definitely want to discuss the full spectrum of the injection points (if any) into the SDLC.

Cheers