[ameliaquining]

Most of that information is readily available on the corporate intranet without having to dig through source code.

Security-by-obscurity isn't something to rely on (again, except in the case of things like abuse detection where there's no alternative).

[forgotusername6]

You aren't necessarily looking for things that would be defined as security by obscurity. You're looking for bugs with a security implication. With the source code, you can look for these bugs without arousing suspicion.