Here’s another tool to add in, along side nikto and nmap – skipfish, an internal Google tool, hosted on Google Code. It’s written entirely in C++, and compiles cleanly on Snow Leopard (after libdin-1.18, which also installs cleanly).

Running the full tests against my Nagios VM took about an hour – and pushed about 4GB of data over the network to the VM. The report is comprehensive, and found two places where I’d forgot to validate my inputs for SQL inserts – which would allow for SQL injection attacks. This is very handy, and I’m going to keep it in my arsenal of security tools.