While attending defcon I got to check out a talk on a new web application security scanner called Grendel scanner. For those of you who don't know I used to work at spi dynamics on the webinspect product (now part of HP) and I got to say it is one of the more impressive looking open source options out there. Many of the enhancements that I asked SPI to add didn't get added to the final product and Grendel scanner has a few of them which I'm happy to see. One of them searches popular search engines for URLS and incorporates them into the scan to find additional site surface. It is also one of the only tools doing 404 page detection something that is a requirement if you want to reduce false positives. He also has built in reporting. I haven't dived into the guts yet but well worth checking out from what I've seen.