Also look to provide app scanning as part of your vulnerability management process.
Institute measures to offer app scanning at multiple points in the process, In Development, Pre-production, and Post-Production. Create a process where developers can ask for ad-hoc/on demand scans. Look to add value to your security department by providing a service that helps both departments.
Too often I see a vulnerability management program that only does vulnerability scanning on endpoints or servers but forgets to include applications or farms it out to a third-party once every three or more years.