The challenges of automated web application vulnerability scanning is a subject of frequent debate. Most websites have vulnerabilities, a lot of them, and we need help finding them quickly and efficiently. The point of contention revolves around what scanners are able to find, or not. Let's clear something up: Scanners don't suck, well some do, but that's not the point I'm making. My business is actually reliant upon leveraging our own vulnerability scanning technology. What I’m describing is setting proper expectations of what scanners are currently capable of on how it affects the assessment process.
Download: Automated Scanner vs. The OWASP Top Ten [reg required]
"The OWASP Top Ten is a list of the most critical web application security flaws – a list also often used as a minimum standard for web application vulnerability assessment (VA) and compliance. There is an ongoing industry dialog about the possibility of identifying the OWASP Top Ten in a purely automated fashion (scanning). People frequently ask what can and can’t be found using either white box or black box scanners. This is important because a single missed vulnerability, or more accurately exploited vulnerability, can cause an organization significant financial harm. Proper expectations must be set when it comes to the various vulnerability assessment solutions."