In assessments of public-facing apps, what must be true about vulnerabilities from Requirement 6.5?

All vulnerabilities defined under Requirement 6.5 must be included in the assessment of public-facing applications. The point of 6.5 is to ensure secure coding practices and the remediation of weaknesses discovered during the software development lifecycle for apps exposed to the public. If you only review new vulnerabilities or skip non-critical issues, you’re not verifying that existing weaknesses have been addressed or that the app’s security posture remains solid over time. Including every 6.5 vulnerability in the assessment provides a complete picture of the app’s security and ensures appropriate remediation, rather than letting persistent or less severe issues slip through. Vulnerabilities from other requirements aren’t the focus here, and ignoring non-critical items would leave residual risk.