Clouds and Grids offer significant challenges to providing secure infrastructure software. As part of a our effort to secure such middleware, we present First Principles Vulnerability Assessment (FPVA), a new analyst-centric (manual) technique that aims to focus the analyst's attention on the parts of the software system and its resources that are most likely to contain vulnerabilities that would provide access to high-value assets. FPVA finds new threats to a system and is not dependent on a list of known threats. Manual assessment is labor-intensive, making the use of automated assessment tools quite attractive. We compared the results of FPVA to those of the top commercial tools, providing the first significant evaluation of these tools against a real-world known collection of serious vulnerabilities. While these tools can find common problems in a program's source code, they miss a significant number of serious vulnerabilities found by FPVA. We are now using the results of this comparison study to guide our future research into improving automated software assessment.