For those pen-testers out there, you may be interested in this. Mavituna security recently announced a free “community version” of their scanner, Netsparker. For those who haven’t played with it yet, it’s pretty slick in one very important way, for manual penetration testers. If it can find something like blind SQL injection or command injection of some sort it will allow you to essentially use the tool itself as a pivoting tool to begin performing assessments after that initial compromise is complete. Pretty cool idea, and if you check the website, Ferruh has put up some good movies showing how powerful that can be. This would be one very good difference between a vulnerability assessment and a penetration test.
The community version can be found here. It’s definitely a great tool for those who want to perform assessments on the cheap or want to try a tool before they buy. Other scanners have tried this route in the past (E.g. Acunetix), and I think it’s a great way to show off the goods. I’m sure he and his team would appreciate feedback.