Here are some of the tools I use for Security and Code analysis (I bet you didn’t see that coming from!)
WebConfig Analyzer – you can do a stand alone download and feed your webconfig into it
WireShark Use this to see what is going on on the network.
Fiddler – Great for https inspection.
Netsparker Use it to hit test sites and see if throws back anything useful.
BackTrack 4 Not sure what needs to be said here other than the best way to get a white hat, is to take a black hat and bleach it.
FXCop I tun this against my code when I want to feel stupid and see how many places I’ve goofed. Things putting getters and setters on read only data. Doh!
Reflector Other peoples code and programs look pretty fun when uncompiled. Likewise, this is also good for making sure you didn’t leave any sensitive information in your own binaries.