girish rateshwar wrote:Would any off the shelf products help speed up the analysis?
In the long run, maybe.
Open source tools like PMD/FindBugs can identify a handful of security issues. (A very small handful.) The commercial off the shelf products for security tend to be expensive and complex. They might help in the long run, but are unlikely to save you time on your first analysis.
Some people do security of
testing of Java applications as their full time job. Paying them to test would certainly save you time. But it wouldn't save you money and wouldn't develop the in house expertise I think you are trying to build.
One way to make a checklist is to look at the
OWASP Top 10 and see if you have any of those issues. That will get you thinking about not just the Java code, but the application design as a whole.