1. Is there any article/post anywhere that lists different web application security testing products and compare them ?

2. What are the "n" things that a human consultant should do in testing a website's security besides using a vulnerability scanning tool ?