Web developers that care about security should check out Google’s latest addition to its open source tool.
It’s called skipfish. It’s written in C. It’s is a fully automated Web application that scrounges through your Web site looking for security holes.
It’s supposed to be easy because skipfish uses “heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.”
According to Google, skipfish implements cutting-edge security logic: “high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.”
The tool should run on Linux, FreeBSD 7.0+, MacOS X and Windows(Cygwin).
