Acunetix WVS automatically checks your web applications for SQL Injection, XSS other web vulnerabilities.

Paros is a security tool for web application vulnerability assessment. All HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.

Burp suite is an integrated platform for attacking web applications. It contains all of the burp tools (proxy, spider, intruder and repeater) with numerous interfaces between them designed to facilitate and speed up the process of attacking a web applicat

CodeScan is the world's leading automatic tool for web source code vulnerability assessment and remediation. CodeScan rates and identifies the strength of your web applications and identifies issues that can result in vulnerabilities.

This is a new open source tool to do static analysis of PHP code for security exploits.

HTTP Debugging Proxy which logs all HTTP traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP Traffic, set breakpoints, and "fiddle" with incoming or outgoing data.

mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack.

Hogwash is an intrusion detection system(IDS)/packet scrubber. It can detect attacks on your network, and if you want, filter 95% of them out.

The first security appliance for Web applications, supporting multiple assessments with Web 2.0 UI, scans the Web code at rapid speed, and provides traceback and recommendations for identified vulnerabilities.

PHP Security Scanner is a tool written in PHP intended to search PHP code for vulnerabilities. MySQL DB stores patterns to search for as well as the results from the search. The tool can scan any directory on the file system.

Munin is an open source PHP application firewall that work similar to mod_security, only it is applied to the PHP appplication, and not the webserver. Munin scans trough the HTTP request headers and blocks unwanted requests, based on a set of rules.

Wfuzz is a tool designed for bruteforcing Web Applications. It can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking for injection (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing, etc.

Pixy is a Java program that performs automatic scans of PHP 4 source code, aimed at the detection of XSS and SQL injection vulnerabilities. Pixy takes a PHP program as input, and creates a report that lists possible vulnerable points in the program, together with additional information for understanding the vulnerability.

With an innovative approach and flexible architecture, Cenzic Hailstorm is a powerful application vulnerability management tool that automates penetration testing for your web applications.

WAFEC is a result of a collaboration between web application firewall vendors and independent security professionals to create a comprehensive, vendor-neutral, web application firewall evaluation criteria. The resulting framework can be used to evaluat

Not actually a PHP tool, but probably of interest to PHP developers is Sprajax, an open source security scanner for AJAX.

Firewall Script offers unparalleled protection against web based attacks for any website supporting PHP. Never before has this level of protection been available without costly routers or hardware.

Chorizo! is a proxy that allows you to scan your web sites and applications for common security vulnerabilities.