When testing the security of a Web application, do you think it is better to do a penetration test, or to review the code of the app? I only have the budget for one or the other.