Dennis Hurst posted the interesting response he got from the PCI Council on the same question many people had about this section. I'm going to have to copy/paste large sections of his original post to keep the flow somewhat linear.
Section 6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
• Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
Does this mean an an organization must hire an outside firm to do a source code review, black box pen-test or what? Can this same process be satisfactorily performed by internal staff with a commercial scanner? What scanner?
The "official" response Dennis received:
The answer to your inquiry is as follows.
Using specialized 3rd-party tools that perform thorough analysis of applications to detect vulnerabilities and defects may well meet the intention and objectives of the source code review requirement in PCI Data Security Standard requirement 6.6, if the company using the 3rd-party tool also has the internal expertise to understand the findings and make appropriate changes.
The PCI Security Standards Council will look to clarify this section of the standard during the next revision, to include that testing of web-facing applications can be done via source code review or products that test the application thoroughly for defects and vulnerabilities (when internal staff have the skills to use the tool and fix defects). The PCI Security Standards Council will also consider including prescriptive requirements as to what both the application firewall and application analysis tool or process should test for.
Thank you and regards,
The PCI Security Standards Council Response Team
Here is Dennis's conclusion:
Hold on there pilgrim. (Always wanted to say that) That's not exactly accurate and advice that could get an organization is some hot water. TWICE the PCI Council stipulated that internal staff have the appropriate skills and expertise:
"also has the internal expertise to understand the findings and make appropriate changes"
"when internal staff have the skills to use the tool and fix defects"
My question now is how the heck is that going to be checked for? What would be the minimum bar? Will every brand X scanner start giving away user certification with each proof of purchase? Talk about a serious conflict of interest. The problem is there's no industry standard certification for web application security proficiency. I've talked about the need for a Web Application Security Professional Certification in the past.
Anyway, I'm glad we got even a little bit of clarity so now that we can move onto new bits of ambiguity. It keeps things fresh. :) Plus it'll be nice when PCI eventually documents what scanners should be able to identify and what web application firewalls should be able to block. Won't that be nice.