IMO nmap and Nessus should be included if this is to be a generic assessment as these are two of the most popular tools that attackers use. This is a good idea even if you have rolled your own web application because you want to have all the information that an attacker would. In addition, since this is PerlMonks someone has to mention libwhisker.