A posting from Dark Reading in there Vulnerability Management section:  Vulnerability management and scanning systems typically combine a number of techniques to assess the risk faced by a business’s information technology, from scanning files and evaluating the current patch level to launching attacks and testing for practical vulnerabilities.

While assessing patch level tends to be the most reliable way to check for vulnerable code, there are times when real-world exploits are needed. In cases where the patch has not been correctly applied, or when there is no patch, the best way to check for the vulnerability is to actually probe the application. Custom Web applications, for example, will generally not be able to be assessed using a patch-level check, says Ross Barrett, senior manager for security engineering at Rapid7, a vulnerability management firm. “If a company has in-house Web apps, that is where you are going to get a lot of value out of that approach,” he says. “The real-world attacks can be replayed and give you results.”

To read more click here: