Foundstone Security Frame
Hacme Casino http://www.foundstone.com/us/resources/whitepapers/hacmecasino_userguide.pdf
Foundstone CodeScout
Paros (web app security assessment) http://www.parosproxy.org/index.shtml
Don't overanalyze. (Spending two hours determining if a strcpy is vulnerable. Takes two minutes to change)
Identify code review objectives (Insider backdoors, compliance with specific regulations)
Lots of discussion of tools. I think the point is, use available analysis tools before bothering with a code review - it's easier and cheaper
http://www.securecoding.org/list
http://codesecurely.org