Let’s say you’ve just had a pen test or security scan performed on your application. You review the list of findings and get to work on remediation. Apart from obvious shortcomings of any individual single assessment technique, you may also be doing a disservice to meeting your business goals.
The goal of your assessment is likely to understand open risks in your application with the goal of remediating or otherwise compensating for those risks. In most cases you only have a limited amount of developer time to fix security issues as they try to juggle building business value with new features. The problem is that by focusing remediation efforts on what a scanner or pen test finds, you are monopolizing precious developer time to fix the issues that technique can find rather than the risks that actually matter to your business.