I’m going to focus on web application security here…

Really you want to get used to manually trawling through a website/application and playing with various parameters etc. so proxy tools are of great help (they allow you to capture and interact with forms, before they reach the server):

LiveHTTPHeaders – FireFox plugin.
Burp Proxy – Java based.

Obviously there becomes a point where manually crawling a whole website becomes rather time consuming/tedious and this is where automated scanning tools can be of help.

Black box:

WebSecurify – not used it but it’s been created by a well known web app security guy.
Skipfish – Google released this recently so it’s probably worth a look.

And there are many other commercial tools: WhiteHat Sentinel, HP Web Inspect and probably many others I can’t remember.

White box:

A lot of the academic research I’ve seen is related to static code analysis tools; I’ve not used any because they all focused on PHP only and had some limitations.

Other resources:

ha.ckers.org – great blog, with an active forum related to web app sec.
OWASP – as perviously mentioned, there are lots of insightful articles/guides/tutorials here.

If you want to learn more about manually attacking sites yourself the Damn Vulnerable Web App is a nice learning project. By that I mean, it’s a web application that is written to be deliberately insecure, so you can test your knowledge of web application security vulnerabilities legally.

I wrote a black box scanner in Perl for my third year dissertation which was quite an interesting project. If you wanted to build something yourself it really just consisted of:

• crawler
• parser
• attacker