Professional penetration testers are usually good at finding all sorts of vulnerabilities, including logic flaws, that are highly-specific to the site being tested. However, being a manual activity, penetration testing is performed infrequently, so there is a desire for developers to do more security QA in-house.
In-house security QA is usually done with a security tool - either a web scanner or a static code analyser. These tools are great for some vulnerabilities (e.g. cross-site scripting) but they usually cannot find logic or authorisation flaws at all.
So, how can we help developers find logic and authorisation flaws?