I don't do a lot of advertising on this blog, but this is a pretty important part of my "walk the talk" campaign. I have for years been espousing a four part analysis pattern, including manual dynamic analysis (vulnerability analysis), manual static analysis (code review), automatic dynamic analysis (scanning the app with something like ZAP), and automatic static analysis (code scanning). Well, I have added this last one, automatic static analysis to the list of products that POINT offers, with a partnership with Veracode. Veracode offers automatic static binary analysis, and is the best product I've found for web applications and mobile applications. What's more, I can triage the findings for you before delivery. (I'll of course also give you the original test results). I spoke on this in my talk from a couple of years ago, Developers: Care and Feeding.
https://www.youtube.com/watch?v=_7jsUACnjjM
I also spoke at length on the topic on the Brakeing Down Security podcast
http://brakeingsecurity.com/2015-045-care-and-feeding-of-devs-podcast-edition-with-bill-sempf
So now, I offer this for real. It's not free, but it's a great addition to a vulnerability analysis, and I'm pleased to be able to add it to the suite of offerings we have here at POINT.