The PCI Security Standards Council, which maintains a set of security requirements for nearly every type of organization involved in credit card transactions, recently updated their Data Protection Standards to include a mandate that all regulated applications either have software security experts perform a code review for security vulnerabilities or use an application firewall to protect web-facing applications. This guideline is only a best practice for now, but on June 30th, 2008 it will become a mandatory requirement.
It's fantastic that a standard as impactful as PCI, which already included language that addressed software security concerns, is progressing to include accountability in the form of code review. However, it's concerning that the standard calls for an either/or choice between an activity and a technology that are not at all parallel. Application firewalls are effective at preventing certain kinds of attacks, but they are not an adequate substitute for building secure software. Code review is an essential part of secure development and should be mandatory for sensitive applications, like the ones governed by the PCI standards.
