It is recommended to use vulnerability scanning tools both for applications (Dynamic - DAST), and code (static, SAST) and perform penetration testing on critical company applications and ideally on all of them.
There are many solutions from our partners on AWS Marketplace (such as Checkmarx y Veracode) and Open Source (such as Nikto, Vega, or Burp Suite) to review application vulnerabilities.
To simplify this task you can leverage the Automated Security Helper (ASH, an Open Source code available at AWS Samples). It will find keys, vulnerabilities and bad practices:
While it is a good practice to deploy a Web Application Firewall (such as AWS WAF) to block attacks on applications, this does not mean that no application vulnerability check is required. Following the defense in depth principle, both controls must be performed to reduce the risk of exploitation of a vulnerability.
In later phases are other recommendations related to this one: