Web application scanners focus on vulnerability discovery within web applications. These tools can work in two ways, synthetic transaction monitoring or real user monitoring. Synthetic transaction monitoring uses automation to test interactions with the web app and then the behavior is recorded. Real user monitoring analyses real user transactions while the web application is live.

• OWASP Zed Attack Proxy (ZAP) - OWASP ZAP (short for Zed Attack Proxy) is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers. It is one of the most active Open Web Application Security Project (OWASP) projects and has been given Flagship status. When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using https. It can also run in a daemon mode which is then controlled via a REST API.
• Burp suite - Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.
• Nikto - Nikto is a free software command-line vulnerability scanner that scans webservers for dangerous files/CGIs, outdated server software and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received. The Nikto code itself is free software, but the data files it uses to drive the program are not.
• Arachni - Arachni is a Ruby framework that is fully open-sourced. It is versatile enough to run a command line scanner, grid scanners, run Ruby library for scripted checks, and multi-user multi-scan collaboration platform.

• Nessus - Nessus is a proprietary vulnerability scanner developed by Tenable, Inc. Nessus scans cover a wide range of technologies including operating systems, network devices, hypervisors, databases, web servers, and critical infrastructure. The results of the scan can be reported in various formats, such as plain text, XML, HTML and LaTeX. The results can also be saved in a knowledge base for debugging. On UNIX, scanning can be automated through the use of a command-line client. There exist many different commercial, free and open source tools for both UNIX and Windows to manage individual or distributed Nessus scanners. Nessus provides additional functionality beyond testing for known network vulnerabilities. For instance, it can use Windows credentials to examine patch levels on computers running the Windows operating system. Nessus can also support configuration and compliance audits, SCADA audits, and PCI compliance
• OpenVAS - OpenVAS (Open Vulnerability Assessment System, originally known as GNessUs) is a software framework of several services and tools offering vulnerability scanning and vulnerability management. All OpenVAS products are free software, and most components are licensed under the GNU General Public License (GPL). Plugins for OpenVAS are written in the Nessus Attack Scripting Language, NASL. OpenVAS is an open-source alternative to commercial tools such as Nessus. OpenVAS also performs network vulnerability scans. OpenVAS is accessed through a web interface https://127.0.0.1:9392.
• Qualys - Qualys is a cloud based scanner that uses sensors places throughout the network to upload to the cloud. Qualys can use agents, scanning appliances, and network sensors to collect vulnerability information.

• Static analysis - is performed without running the code. There are multiple ways to review the code:
  • Data flow analysis - looks at runtime information.
  • Control flow graph - graph the components and their relationships, looking for ingress and egress between each component
  • Taint analysis - identify variables that are tainted with user-controlled input.
  • Lexical analysis - convert source code into tokens of information to abstract the code and make it easier to test.
  • Formal review - thorough line-by-line inspection of the code.
  • Lightweight - much less thorough and can be done in many ways such as:
    • Pair Programming - two coders working side-by-side checking each others work as they program.
    • Email - code is emailed to other coworkers for them to check
    • Over the shoulder - coworkers review the code while the programmer explains their logic.
    • Tool-assisted - automated tools to test.
• Dynamic analysis - testing software while it is running using synthetic transaction monitoring or real user monitoring.
• Reverse engineering - taking a compiled program and converting it to the source code.
• Fuzzing - injecting unexpected input into an application to see what happens.

• Nmap - a network scanner that can detect devices, open ports, and can determine the OS on each host.
• hping - hping is an open-source packet generator and analyzer for the TCP/IP protocol created by Salvatore Sanfilippo (also known as Antirez). It is one of the common tools used for security auditing and testing of firewalls and networks, and was used to exploit the idle scan scanning technique (also invented by the hping author), and now implemented in the Nmap Security Scanner. The new version of hping, hping3, is scriptable using the Tcl language and implements an engine for string based, human-readable description of TCP/IP packets so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in a short time
• Active vs. passive - Active enumeration is when you send data to the host and assess the responses. Passive enumeration is when you do not send any data to the host, but captures network traffic and makes assumptions based off that traffic.
• Responder - Responder is an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answer to File Server Service request, which is for SMB.The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix.

• Aircrack-ng - Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic.
• Reaver - brute force cracker of WPS enabled WiFi.
• oclHashcat - Hashcat is an offline password cracker. Hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 300 highly-optimized hashing algorithms. Hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking.

• ScoutSuite - open source security auditing tool to test the security posture of cloud environments.
• Prowler - AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool lists gaps from best practices in your AWS instance.
• Pacu - an exploit framework, much like Metasploit, for AWS.