"A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments."
What does this mean? Well, I am not an expert on the tool (yet), but it appears that RatProxy sits on your web server and monitors your existing site traffic for potential vulnerabilities and reports on them. It looks for threats like Cross-Site Scripting vulnerabilities, issues with content serving, Request Forgery vulnerabilities, unsafe JSON-like responses, and more.
One especially interesting point is that in the README file they claim that this can be safely deployed in a production environment.
I am pretty excited about this release. I have been meaning to look into these types of tools, and this gives me an excuse to get started. I am going to see if I can get this up and running and I will blog about the experience.
Does anyone have any experience with other automated web security analyzers? Burp? WebScarab? ProxMon?