Imagine you are given the source code for a JAVA web application with about a million lines and were asked to review the code for any vulnerabilities and report back in a week. This can turn into an interesting exercise if you are a team of one. What are your options: crowdsource, ask for mercy, do your best? Thankfully there are other options, such as automated code review software. In this post I'll talk about Checkmarx's cloud based solution that does security code analysis and use OWASP's WebGoat (v5.4) project to see how it measures up.