Michal Zalewski (lcamtuf), a Polish security researcher and author of many tools and books, is at it again.  On Friday, he released a fully automated, active web application security tool known as skipfish.  This tool allows developers and security professionals to have a solid reconnaissance tool which scans at high speed tools, easy to use, and has a number of different security checks with limited false positives.  In my particular environment, we are extremely budget poor (taking a 2nd budget cuts within under 6 months left in the fiscal is bad and I know others have it worse than we do).  So having the possibility to increase my tool set without spending a lot of money sits very well with our administration. From my initial testing yesterday, it did detect a few issues within a sample website which had not been detected prior. So in my book, this is a great plus.

The tool is under the Apache 2.0 license and is located at http://code.google.com/p/skipfish/  .  I see that today there has been a number of changes today to correct a number of issues since it was initially released yesterday.  I expect that this tool will be much more stable within the next few days. 

Scott Fendley ISC Handler