I know it depends on your organization, but what is the typical amount of times a year I should scan a web application for an organization that specializes with financials and has 15,000 employees?
You can run as many scans as you want with Qualys WAS. Easiest thing to do is create a schedule and have the web app scanned on a regular basis, say every weekend. On Monday morning open WAS and choose Find...Detections on the web app. Look for anything with a "new" status. Web apps change and the scanning engine gets better over time.
From a security standpoint, after each change.
@Dave Ferguson - Thank you for that response. We currently scans a web application once, every 12 months or anytime there is a change in the source code. is it a best practive to scan web apps on a weekly basis?
Not necessarily. I was just giving an example of one way it could be done. Often security personnel are not in the loop when an application changes. By scanning on a regular basis, they would be covered no matter what. Plus they get the benefits of new detections and improvements in the scanning engine over time.
Retrieving data ...