Here's a compilation of Security testing tools for Web apps, drawn from an answer on the Pro WebMasters StackExchange forum & other sources -
- Netsparker Community Edition - detects SQL Injection, XSS & other vulnerabilities
- Watcher - Fiddler plugin that works as a passive-analysis tool
- Microsoft Web Protection Library (WPL)
- Web Application Configuration Analyzer (WACA) - analyzes server configuration for security best practices related to General Windows, IIS , ASP.NET and SQL Server settings.
- AntiXSS 4.0 - protects ASP.NET web-based applications from XSS attacks
- CAT.NET
- HP Scrawlr - scans for SQL injection vulnerabilities
- Exploit-Me - suite of Firefox add-ons
- Websecurify - also available as a Google Chrome Extension
- Acunetix Free Edition
- N-Stalker Free Edition
- Google's Skipfish
- RatProxy - passive web application security assessment tool
- Nikto2 - open source web server scanner
- w3af or Web Application Attack and Audit Framework
- Arachni
- Wapiti
- WebScarab
Web Performance Analysis & Optimization tools