The second, a static code analyzer called CAT.NET is an extraordinary tool. If used with some discipline, it can virtually eliminate XSS and SQL injection vulnerabilities in managed code.
From the SDL Blog on MSDN:
Today, we’re very excited to announce the availability of our next version of the Anti-Cross Site Scripting Library (Anti-XSS) v3 BETA as well as Code Analysis Tool .NET (CAT.NET) v1 CTP. Anti-XSS v3 BETA includes performance improvements, localization enhancement as well as a Security Runtime Engine (SRE) that uses an HTTP module to provide a level of protection against XSS for your application without the need to rebuild your code. CAT.NET v1 CTP is a binary analysis tool that can be used by developers to identify some common vulnerabilities that can lead to attack vectors such as XSS, SQL Injection and XPath Injection in your code. [From Announcing CAT.NET CTP and AntiXSS v3 beta]
If you're working in any .NET language on the web, including non-Microsoft languages, you should check CAT.NET out.