Informative survey from Jeremiah Grossman
http://jeremiahgrossman.blogspot.com/2006/10/web-application-security-professionals.html
What caught my eye was #3. 71% responded they never "use a commercial web application vulnerability scanner during security assessments".
That surprised me for a couple of reasons:
1. Clients frequently request the use of a commercial scanner
2. Many of the larger security services firms we deal with (i.e. give us projects) not only have a enterprise type license for one or more commercial tools but also require their use when doing a security assessment on their behalf.
