While it is far more than a security tool, Google's massive database is a gold mine for security researchers and penetration testers. You can use it to dig up information about a target company by using directives such as “site:target-domain.com” and find employee names, sensitive information that they wrongly thought was hidden, vulnerable software installations, and more. Similarly, when a bug is found in yet another popular webapp, Google can often provide a list of vulnerable servers worldwide within seconds. Check out the Google Hacking Database and Johnny Long's excellent book: Google Hacking for Penetration Testers.
For downloads and more information,
visit the Google homepage.
I give Google only one star because it itself is a security risk. Yes, they can be useful and Johnny Long's book is great but they don't cover how to maintain your own security and protect your activities on on the net. Plus their new TOS is appalling. See http://donttrack.us/ for a quick overview of a few of the issues.
There are two better search engines to use.
www.duckduckgo.com - new and very usable by technoids. Has a nice newsletter telling you what he is up to.
The very best (and a neat trick to use Google without ever going to Google) is http://www.startpage.com, also known as http://www.ixquick.com. This is the only search engine in the world that has the European Privacy Seal and has had it for several years. It is run by a Dutch company that has be serious about privacy for about 12 years. They have some good material on search engine tracking and the famous AOL/Google faux pax a few years ago. If you are at all concerned about security I suggest you spend the time to noodle around their site and play with the AOL database. Very educational and revealing.
It is a metasearch engine and gets results from Google without Google knowing who you are. They also provide a free proxy server if you wish to obfuscate your IP address.
Back to Google, imagine that you are trying to understand some new exploit to protect yourself, you are going to use a lot of hacker terminology in your searches, right? What if some governmental agency decides they want to track down all the potential users of the new exploit and asks Google, with one of those secret warrants where Google can't even admit it exists much less tell you that the Feds are potentially after you. How are you going to prove that your intentions are all the best?