Jeremiah Grossman discusses web application vulnerability scanning strategy.
Some Web application vulnerability scanners, dynamic and static analysis, are designed for comprehensiveness over accuracy. For others, the exact opposite is true. The tradeoff is that as the number of “checks” a scanner attempts increases causes the amount of findings, false-positives, scan times, site impact, and required man-hour investment to grow exponentially. To allow users to choose their preferred spot between those two points, comprehensiveness and accuracy, most scanners offer a configuration dial typically referred to as a “policy.” Policies essentially ask, “What do you want to check for?” Whichever direction the comprehensiveness dial is turned will have a profound effect on the workload to analyze the results. Only this subject isn’t discussed much.
In other words, you can dial down the vulnerability scanner to achieve regulatory compliance or dial it up and put them in the hands of a skilled web application security analyst to mitigate the risks of web application exploits.