Black Box Testing (or Dynamic Reviews)
Black box testing (or dynamic testing) begins with automated scans, which can be valuable for getting a quick read of the security state of an application through a catalog of technical vulnerabilities. These scans, however, are not complete, and they do not identify where in the code the problem exists. Scans are followed by manual verification of found vulnerabilities and the identification of certain logical vulnerabilities.
Code Reviews (or Static Reviews)
Source code reviews (also called static reviews or white box testing) are based on direct observation of the code that will actually create the behavior. This allows for more insightful analysis and specific recommendations, which can range from the discovery of keyboard errors to specific process oriented recommendations. An assessment of software source code helps focus attention on where software is most vulnerable.
See also: Black Box Testing vs. White Box Testing?