These things are not really mutually exclusive. Defense in depth. Getting more information on building defensible software does not preclude the need to have someone knowledgeable try to rip it apart afterwards.
I don't disagree on this, but the mentality of pentesting (as I have seen it conducted) is wrong. Typically a firm wants to find a way in, and snatch the Crown Jewels. Once they achieve that, the level of effort goes way down, and they often leave a lot of surface area unchecked.
Or maybe more succinctly: they are incentivized to find SOMETHING quickly, rather than EVERYTHING.
I think it can help if the testers are internal and not quite under the same time pressure / engagement limits though.
Or maybe more succinctly: they are incentivized to find SOMETHING quickly, rather than EVERYTHING.
I think it can help if the testers are internal and not quite under the same time pressure / engagement limits though.