Re: WebInspect how well doe it deal with ColdFusion sites.
For the most part, WebInspect does not care what brand the target site is, so long as it presents HTTP traffic/responses. For due diligence, WebInspect does have named checks in the attack database for ColdFusion (see the Policy Manager tool), but the majority of its checks will fuzz the inputs regardless of the platform.
The true configuration you will need may involve the site itself. For example, adding to the Web Form Editor's default values can aid the Crawler in intelligently filling in the available forms and thereby expanding the exposed attack surface area. Session Exclusions or identifying custom State-keeping variables in the HTTP Parsing settings may also be needed.
-- Habeas Data Micro Focus Fortify Customers-Only Forums – https://community.saas.hpe.com/t5/Fortify/ct-p/fortify