What do you think should be the frequency of a web application security scanning such as OWASP scan? I am asking as the OWASP (and most of the web app flaws for that matter) are related to the code of the app and if once the OWASP list for example is covered - is it worth to run another scan in a month for example having in mind that the application code is not changed since the last OWASP scan? What are your thoughts around WAS scanning frequency and why?
Disclaimer: I have passed the exam, but not been endorsed for CISSP.
Assuming you have no contractual or compliance obligations that would mandate otherwise:
I would recommend at a minimum that you perform a vulnerability scan on updated/integrated code before releasing any update to production or any time your vulnerability scanner is updated to discover new vulnerabilities.
Each web developer should scan their changes before committing them.
Absolute worst case: Vulnerability scan one a year.
Don't forget to scan legacy apps that are still accessible.
Most regard OWASP as a great reference point for web application security programs and education for IT Operations. Certain shops scan quarterly or bi-monthly and educate on the importance of code review standard operating procedures. The maturity of the security program may dictate the scan frequency and also being able to allow developers a vehicle similar to where they handle versioning control to provide feedback to Information Security Teams during remediation.