I just ran some Web vulnerability scans against an app I’m testing using a couple of default/benign scan policies. Nothing big turned up. I re-ran the scan using a full scan policy that checks for everything and the new MS10-070 ASP.NET padding oracle vulnerability reared its ugly head…BIG difference in the outcome.
Keep this in mind when checking for Web security flaws with your automated scanners and never ever completely rely on their results. You can’t live without them but they’re only ~50% of the solution.