If you're a small startup looking to automate security testing against your application, I strongly recommend just shelling out for Burp Suite; it's like a couple hundred bucks tops, can be used to automate almost every common web app attack, and is the tool most likely to be used by good auditors when you eventually decide to get tested professionally.<p><a href="http://portswigger.net/burp/" rel="nofollow">http://portswigger.net/burp/</a><p>There's a free version, which disables the (mostly vestigial, anyways) "scanner", and slows down the fuzzer tool; if you're really automating security testing --- which, do --- pay for the real version; you want the fuzzer to work.<p>There are things sqlmap does that Burp does not do easily, but they're not important to app developers; if you're generating database exceptions with inputs, don't dick around trying to make time-based blind SQL work; just fix the bugs.