I'm interested in finding open-source tools for auditing some PHP code I didn't write, before putting it into production. I'll need black-box HTTP-probing scanners as well as static code parsers/analyzers.
Where can I find a good comprehensive list of all such tools, and a smaller list of which ones are actually worth trying?
Here's a start. I haven't tried any of them:
Backtrack 4 has a bunch of web app testing and fuzzing tools included with it. So I tend to start with the tool found on it. In the past I have had good luck with W3AF identifying problems in apache and php.ini configurations as well as the PHP apps that I've inherited.
Having done both source and blackbox auditing before, I'm inclined to recommend Acunetix or IBM's Hailstorm. As previously mentioned, W3AF is a very good piece of software. But none of these pieces of software are nearly as good as doing it yourself.