Be sure to have written permission first

Have you looked at w3af?

Nikto can perform some simple scans as well, even though it's mostly misconfigurations and known bugs it looks for of course.

As mentioned, W3AF may be able to help you as well, but it does have some stability issues, at least the last couple of times I checked it out.

Nessus is capable of scanning websites "somewhat", but that's not open source of course.

Metasploit has a few modules to scan websites too, but besides that, the best way really is to go for the manual approach with e.g., an intercepting proxy like Burp just to spider the website.

Web application security is often overlooked on several areas, hence the reason there isn't that many automated tools that can do almost everything for you, and even do it _right_ 

If you run a wordpress site, wpscan seems pretty good 

You can buy Burp Pro and it comes with a vulnerability scanner. And it is stable.

Don't you have any test/dev systems available? You might want to start there if you don't. Even the best tools could cause fluke problems. If a production problem would be that detrimental, you should try avoiding that situation entirely.

since the system is live I would not use any tools I would maybe do code review and see if you doing anything bad as well making sure that there is no low hanging fruit
is the database username admin is it using a weak password?
is there anywhere in the code that use dangerous function like include are their better ways to do this?
do you have files on the system locked down or can i get to your admin page easy ?
do you have a strong password policy ?
do you have stupid comments that say username:admin password : password or version number ?
do you have robots.txt does this tell me interesting directories ?

I would be looking at these type of things on live system.

I never thought of the P2V thing. That's actually a pretty good idea. I doubt I will be able to use that technique for this engagement because of server locations and the parties I would have to involve to get that done, but I'm definitely going to remember that for next time.

I actually just got word that there will be some dev systems available to test. My plan now is to do any intrusive scans on those systems first, do discovery scans on the live systems, and then use the results from dev to manually verify those vulnerabilities on the live systems.
Right now I'm being told that these are just going to be preliminary scans. I'll just be grabbing the low hanging fruit and then coming back later to do a comprehensive test.

The nature of these web applications makes it nearly impossible to test much without filling up the database with crap(forms, forms, and more forms), but now that I have the dev systems open to me, I should be able to get a lot more out of it.

Thanks again for the input.

Good point. I'll be sure to check on that!
I'd have a heart attack if I found that out after...