If you haven't already played with the Security Policy Analyser that shipped with WSE 3.0 - take a look. It rocks! Amongst other things it performs static validations to catch vulnerabilities such as:
And if you have played with it but got frustrated that you had to run it from the command line then we have great news. Pablo Galiano has implemented a version that uses GAT (guidance automation toolkit) to integrate this capability directly into Visual Studio!
For more information or to download a version of the tool join our workspace at http://practices.gotdotnet.com/projects/sopatterns
For more information on the actual basis for the tooling take a look at the Microsoft Research Samoa project at - http://research.microsoft.com/projects/samoa/. The analyser is one result of a lengthy investigation into establishing formal methods for specifying and verifying security goals of applications...