Today's dynamic and static web vulnerability scanners are capable of analyzing complex web applications for security weaknesses. They automate testing of much common vulnerability. However, there is a gap between static and dynamic scanners. They find different vulnerabilities. So why aren't dynamic testers running static tools? Typically, they don't have source code.