Jeremiah Grossman (WhiteHat Security, Inc.) has written an interesting article on automated vulnerability scanners and the limitations of these tools in finding real life web application vulnerabilities .

The challenges of automated web application vulnerability scanning is a subject frequent debate. Specifically because most websites have vulnerabilities (a lot of them) and we need help finding them quickly. The point of contention revolves around what scanners are able to find, or not. Using the OWASP Top Ten as a foundation, I published a white paper describing in detail how scanners approach certain complex situations. There is some marketing-fu within the pages, but the majority of the is content rich. Enjoy! "Automated Scanner vs. The OWASP Top Ten" http://www.whitehatsec.com/home/assets/OWASPTop10ScannersF.pdf

A very good resource of wardialers
http://www.wyae.de/software/paw/

A good framework is a great resource for any pentester .
Here are some of the best I found :

• The mindmap written by Toggmeister (a.k.a. Kev Orrey) & Lee J Lawson http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
• OSSIG http://www.oissg.org/
• OSSTMM http://www.isecom.org/osstmm/
• OWASP http://www.owasp.org

The following column was published on SecurityFocus today:

PHP apps: Security’s Low-Hanging Fruit
by Kelly Martin
published 2007-01-08

PHP has become the most popular application language on the web, but common security mistakes by developers are giving PHP a bad name. Here’s how PHP coding errors have become the new low-hanging fruit for attackers, contributing to the phishing problems on the web.

http://www.securityfocus.com/columnists/427