Ensure Use of Robust Web Application Frameworks
Develop web apps using strong frameworks to enhance security.
Plain language
Using a strong web application framework to develop your website is like building a house with a solid foundation. It helps keep your site secure from hackers who might try to break in and steal data or cause other issues. Without it, you risk facing data breaches, financial losses, or damage to your business reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentSection
Web application developmentOfficial control statement
Robust web application frameworks are used in the development of web applications.
Why it matters
Neglecting robust web frameworks invites common web flaws, risking customer data exposure and harming the organisation’s reputation.
Operational notes
Standardise on vetted web frameworks, keep them patched, and remove unsupported versions to reduce common web application vulnerabilities.
Implementation tips
- Web development team should select a reputable web application framework: Choose a framework known for its robust security features, such as Django or Ruby on Rails. Research and compare their security capabilities and community support to make an informed choice.
- IT team should configure the framework's security settings: Follow the framework’s security guidelines to properly set up secure defaults. This includes settings for password protection, data encryption, and access controls.
- Project manager should document the framework choice: Record why the specific framework was chosen, highlighting its security benefits. This document should be reviewed and approved by the relevant stakeholders.
- Web development team should integrate security updates: Regularly apply updates and patches provided by the framework's developers. Set up alerts or a process for monitoring when updates are released.
- System owner should provide training on secure coding practices: Ensure all developers understand and follow best practices for secure coding using the selected framework. Organize workshops or training sessions with practical examples.
Audit / evidence tips
-
Askthe framework selection document: Request the document explaining why the chosen web application framework was selected
Goodincludes clear evidence of security considerations as part of the decision
-
Askto see the framework configuration: Request to review the current configuration settings of the web application framework
Goodis showing that security settings are aligned with the recommended guidelines
-
Askupdate logs: Request records of updates and patches applied to the web application framework
Goodshows that updates are applied regularly and in a timely manner
-
Asktraining records: Request evidence of training sessions or materials provided to developers
Goodincludes regular training sessions with attendance logs or training materials
-
Askpenetration testing reports: Request any reports from security tests conducted on the web application
Goodincludes recent test results with documented fixes for any issues found
Cross-framework mappings
How ISM-1239 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.25 | ISM-1239 requires robust web application frameworks to be used for web application development | |
| Annex A 8.26 | ISM-1239 requires robust web application frameworks to be used when developing web applications | |
| handshake Supports (3) expand_less | ||
| Annex A 8.28 | Annex A 8.28 requires secure coding principles to be applied to prevent vulnerabilities | |
| Annex A 8.29 | ISM-1239 requires the use of robust web application frameworks to reduce common web application security weaknesses by design | |
| Annex A 8.30 | ISM-1239 requires robust web application frameworks to be used for secure web application development | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.