It is recommended to use vulnerability scanning tools both for applications (Dynamic Application Security Testing - DAST), and code (Static Application Security Testing, SAST) and perform penetration testing on critical company applications and ideally on all of them.
Application vulnerabilities are easier (and more cost efficient) to remediate when the developers are writing the code, but following the criteria of Defense in depth, it’s also important to scan in the pipeline, to ensure that code that was not developed using solutions code companions checking for vulnerabilities, can be pushed into the pipeline and introduce risks. Finally it’s advisable to scan the applications deployed as applications may have been deployed before we added the scan on the pipeline, or new vulnerabilities may be discovered after the scan (such as a dependancy with a recently discovered vulnerability).
There are many solutions from our partners on AWS Marketplace (such as Checkmarx y Veracode) to review application vulnerabilities.
There are many Open Source solutions (such as Nikto, Vega, or Burp Suite) that can help you scan your applications. AWS teams created and shared the Automated Security Helper (ASH, an Open Source code available at AWS Samples). It will find keys, vulnerabilities and bad practices:
While it is a good practice to deploy a Web Application Firewall (such as AWS WAF) to block attacks on applications, this does not mean that no application vulnerability check is required. Following the defense in depth principle, both controls must be performed to reduce the risk of exploitation of a vulnerability.
In later phases are other recommendations related to this one:
Amazon Inspector: https://aws.amazon.com/inspector/pricing
Amazon Codeguru: https://aws.amazon.com/codeguru/pricing
Amazon Q Developer: https://aws.amazon.com/codewhisperer/pricing