Penetration testing covers your full stack at runtime, from an external perspective. Code reviews can find errors though static analysis. To achieve even better test coverage, we advise using a specialized local agent/sensor to augment a penetration test. This is called Interactive Application Security Testing (IAST).
Although not suitable for all situations, IAST is the best approach when maximizing test coverage and minimizing vulnerabilities is your main purpose. In IAST, the local agent/sensor feeds information is gathers from the working application at runtime back to the vulnerability scanning tool that is used in the penetration test, creating an interactive loop that enables the test to learn and become more precise, yielding more findings in the process.
Please contact us if you would like to know more about how nSEC/Resilience can help in providing IAST services to your organization.