Web-browsers with their addons are powerful tools to spot vulnerable web-applications.
I have good experience with both Chrome and Firefox, whereas both have a lot of developer tools and addons to use. Worth mentioning is TamperData, Tamper Chrome, PostMan, Web Scraper, d3coder, Site Spider, User Agent Switcher, Cookie Editor and Wappalyzer, to mention some. Infosec has a nice review of a lot of cool addons (maybe somewhat outdated). Of course most of this can be scripted and done using command line tools as well, however it is more convenient with it ready in your native browser on an everyday basis.
For interception I like BurpSuit and OWASP ZAP. The automated scan in ZAP actually works quite well for a selection of tests. BurpSuits scanner too, but it is not free.
For automated compliance checks, the OWASP dependency-check (GIT) can be used in Bash scripts or as plugins.
For vulnerability checks OpenVAS and NeXpose (both have free trials) are nice alternatives to the rather expensive Nessus.
If you like to practice and train your skills, do it offline or on your own web-apps(!).