Web Application Scanning

Web application scanning is a subject that I know little about. In a recent audit, I was asked if we used any tools for that, but its not something we have addressed. It looks like this topic is going to get broader press coverage due to a presentation at this summer’s blackhat conference regarding the use of javascript and XSS to compromise intranets.
The topic’s author is the founder of Whitehat Security. I found it kind of funny that they sell a website scanning service along with an appliance for scanning your intranet. Yet on the same website there is a copy of a previous blackhat presentation they gave in 2004 that seems to argue that humans are needed to appropriately evaluate web application vulnerabilities. I’ll have to keep reading on the website to find out what has changed.