Additionally, if you're doing any kind of .NET development#151;Web-based or Windows-based#151, you should also use FxCop, which is another static analysis tool for .NET applications. It's not strictly focused on security issues, but it does include some useful security checks, mostly around aspects of the .NET code access security model.
In September of last year, I wrote a column for StickyMinds titled, "Warm and Fuzzy," in which I discussed the benefits of performing fuzz testing against your applications. Fuzzing can often reveal subtle security vulnerabilities in your code; there are several excellent fuzzers and fuzzing frameworks that are freely available, including:
· Peach-a smart (i.e., format-aware) fuzzing platform developed by Michael Eddington of Leviathan Security Group
· SPIKE and SPIKE Proxy-a general-purpose fuzzer and a Web application fuzzer, respectively, both developed by Immunity
In addition to the tools I've listed here, you can find a complete list of the top one hundred network security tools as voted by Nmap users at sectools.org. The list is a bit dated at this point (2006), but includes both free and commercial tools. It's still a good resource.
I hope I've encouraged you to start using some new security testing tools even if you don't have the budget for commercial tools right now. I'd also like to encourage you to take advantage of the many Web sites that offer free security training as well. After all, if you're unfamiliar with the underlying principles of the vulnerabilities for which you're testing, it'll be much more difficult for you to effectively use even the most user-friendly security tool.
If I've missed your favorite free tool on this list, tell me about it. Post a note on the discussion board and we'll continue the conversation there. Alternatively, I'll have to start a new quarterly column on StickyMinds called, "The Frugal Pentester".