I've recently been contracted to improve security on a couple different sites. One of them has been targeted by SQL Injection and Cross-Site Scripting (XSS) attacks. There was a lot of code to go through, and a lot of possible entry points to secure. I was able to do most of it efficiently, and I felt that the code was very much more secure than it was. However, the site was compromised again.
I was moaning about it on Twitter, and a friend of mine (Twitter) informed me about tool called Skipfish (Google code). It claims to scan sites for security issues, including SQL injection vectors and XSS possibilities. And as far as I can tell, it does so fairly well. It's informed me of vulnerabilities and security issues on this site, and it helped me out with my client's site as well.
