Use OWASP Standards in Web Application Development
Developers must use OWASP standards for building secure web applications.
Plain language
Using the OWASP standards in web development means building your websites or online services in a way that protects them from being hacked or misused. If this isn't done, the risk is that attackers could steal sensitive information, damage your reputation, or disrupt your business operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentSection
Web application developmentOfficial control statement
The OWASP Application Security Verification Standard is used in the development of web applications.
Why it matters
Without using OWASP ASVS, web apps are more exposed to common flaws, leading to data theft and loss of trust.
Operational notes
Apply OWASP ASVS requirements in design and code reviews, and verify with testing before each release.
Implementation tips
- Developers should familiarise themselves with the OWASP standards. This can be done by visiting the official OWASP website, downloading the documentation, and participating in online training sessions to ensure they understand how to apply these standards.
- Project managers should ensure OWASP guidelines are included in project plans. This involves reviewing project documentation to confirm that security measures align with OWASP's key principles, such as protecting against common web vulnerabilities.
- IT leads should integrate OWASP testing into the development lifecycle. They can achieve this by scheduling regular code reviews and vulnerability assessments that specifically check for OWASP compliance before any software release.
- Business owners should prioritise security in their budget. This means allocating funds to purchase tools or hire experts that help implement and verify OWASP standards during development projects.
- Team leaders should hold regular training sessions for developers. This includes organising workshops where developers practice coding securely and understanding real-world attack prevention based on OWASP guidelines.
Audit / evidence tips
- AskThe web application development checklist: Request the checklist that was used during development to ensure OWASP standards are followed GoodA checklist that shows a thorough application of OWASP standards with no unchecked items
- AskThe training records on OWASP standards: Request documentation showing when and what OWASP training developers have completed GoodA detailed log showing regular training sessions with all developers attending
- AskVulnerability assessment reports: Request the reports from any security testing related to OWASP compliance GoodReports showing no major unaddressed OWASP-defined vulnerabilities
- AskTo see the project plans with security alignment: Request the project plans referencing OWASP guidelines. Look to see how security checkpoints are integrated into the timeline GoodClearly laid out stages with specific OWASP security goals at each point
- AskDocumentation of security incidents: Request records of any security incidents and how they were managed with reference to OWASP guidelines GoodDetailed incident logs showing effective use of OWASP to prevent reoccurrence
Cross-framework mappings
How ISM-0971 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.27 | ISM-0971 focuses on building web applications to a recognised OWASP verification standard (ASVS) | |
| Annex A 8.29 | ISM-0971 requires web applications to be developed against OWASP ASVS, which defines verification requirements and associated testing exp... | |
| handshake Supports (2) expand_less | ||
| Annex A 8.26 | Annex A 8.26 requires organisations to identify, specify and approve security requirements for applications during development or acquisi... | |
| Annex A 8.28 | Annex A 8.28 requires the application of secure coding principles in software development | |
| link Related (1) expand_less | ||
| Annex A 8.25 | Annex A 8.25 requires defined and consistently applied secure development rules across the lifecycle | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.