Despite the fact that there are quite a few reservations concerning the use of application security scanning technologies (e.g. false positives, false negatives, usability and of course the price), there are also a couple of good reasons for using such tools:
1. Applications are becoming bigger and bigger
Enterprise applications can be quite big: 100,000 lines of code are some sort of lower boundary. Larger applications can easily have millions of lines of code. The same goes for the number of unique sites and business functions such an application can have. On the same hand, even a code reviewer will only be able to manage to analyses 1,000 lines of code a day.
2. Applications do often change
Especially agile developed (Web) applications are periodically changed every sprint (e.g. every two weeks). But changes can also occur in the environment or integration of a productive application. For instance, many Web applications are dynamically linked with other sites. Where some changes are trivial with no security impact, others will make a security review of the whole application necessary (e.g. due to architectural changes). Manual pen testing or code review cannot solve that problem.