2.2.3 Configure system security parameters to prevent misuse.
6.3.2 Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability.
Is this web-server even in the cardholder data environment.
I've seen lots of people complain about PCI DSS not beeing good enough, even in companies I have been employed. But still, they're not able to comply with some of the easiest requirements in PCI DSS. *sigh*