If you are smart enough to code your own web pages then running security tools against them should not be an issue. Most of the tools listed below are either freeware – no cost. Or a stripped down version of a commercial tool – try before you buy. One thing about these tools is you may have a high false positive rate. A false positive is when the tool identifies an issue but it cannot be exploited the way the tool thinks it could be.
This is the main issue with code and application scanning tools. Penetration testing is part art and part science. Very few people have the knack to take a perfectly good working system and see how they can break it. I suspect many of the car junkies who like to take apart and customize their cars would make good pen testers.
Below are the tools. Each one has its own strengths and specialty focus on certain aspects of an application. Developers should install and play with them as they are working on code. This should be part of the project plan when plotting out the SDLC lifecycle of the application. “Baking in" security during development costs 90% less than shoehorning it on at the end.
N-stalker and Acunetix WVS are true pen test scanners and should be used for every deployment. The two from foundstone are good to run every few months to check if your application will overload when it hits 1million users and if google is holding anything good about your system. To check out IIS specifically there are a multitude of tools from MSFT itself and the resource kit is also a good place to start.
N-Stalker Web Security Scanner
Development & QA Phase - Controls and mitigate vulnerabilities introduced during development phases. Tests your application for common web vulnerabilities such as XSS and SQL injection, Buffer Overflow and Parameter Tampering.
Infrastructure & Deploy Phase - Scans your web server infrastructure using the most complete Web Attack Signature available in the market ("N-Stealth HTTP Vulnerabilities Database(tm)"). It is more than 35,000 signatures to guarantee a safe environment and secure deployment of your Web Application.
Audit & Pen-test Phase - Audits your production-level web applications and web server infrastructure by periodically combining the power of Component-oriented Web Application Security Assessment and the "N-Stealth HTTP Vulnerabilities Database(tm)"
Acunetix WVS Free Edition
Hackers are on the lookout for Cross Site Scripting (XSS) vulnerabilities in YOUR web applications: Shopping carts, forms, login pages, dynamic content are easy targets. Beat them to it and scan your web applications with Acunetix Web Vulnerability Scanner:
Acunetix WVS automatically checks your web applications for XSS, SQL Injection & other vulnerabilities.
Firewalls, SSL and locked-down servers are futile against web application hacking.
Acunetix checks your web applications for coding errors that result in Cross Site Scripting vulnerabilities.
Acunetix also checks for other vulnerabilities in popular web applications such as Joomla, PHPbb.
Acunetix identifies files with XSS vulnerabilities allowing you to fix them BEFORE the hacker finds them!
Two from Foundstone:
FS MAX - A scriptable, server stress testing tool. This tool takes a text file as input and runs a server through a series of tests based on the input. The purpose of this tool is to find buffer overflows of DOS points in a server.
SiteDigger 2.0 - Searches Google’s cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on web sites.
IIS 6.0 Resource Kit
The IIS 6.0 Resource Kit Tools can help you administer, secure, and manage IIS. Use them to query log files, deploy SSL certificates, employ custom site authentication, verify permissions, troubleshoot problems, migrate your server, run stress tests, and more.