After all the discussion around the PCI DSS requirement 6.6, on what were the real requirements, we can conclude that from June 30 (2008) there are two options for the web applications requirement:
1- Application Code review, that is subdivided in the following alternatives:
- Manual review of application source code
- Proper use of automated source code analyzer (scanning) tools
- Manual web application security vulnerability assessments
- Proper use of automated web application security vulnerability assessment (scanning) tools.
2- Web application Firewall
I think that we should have both options implemented, there are not exclusive and implementing just the Manual web application as Code Review would not assure the security of the application, because maybe between the discovery of the vulnerabilities and the patching/correcting/solving phase will pass some time that the application will be exposed, also new vulnerabilities introduced after the Manual Web Application Assessment, will put in jeopardy the security of the application.
Another interesting point is the alternative 4 of the option 1 "Proper use of automated web application security vulnerability assessment tool", what is considered "Proper" ? I imagine a lot of "tool monkeys" launching automatic scanners, printing the tool report and justifying requirement 6.6 for two pennies, and then you will have to explain to your customer why your service is more expensive than the other....
It's always the same :(
More to come on this issue,