Ensure Use of Robust Web Application Frameworks
Develop web apps using strong frameworks to enhance security.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2022
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Robust web application frameworks are used in the development of web applications.
Source: ASD Information Security Manual (ISM)
Plain language
Using a strong web application framework to develop your website is like building a house with a solid foundation. It helps keep your site secure from hackers who might try to break in and steal data or cause other issues. Without it, you risk facing data breaches, financial losses, or damage to your business reputation.
Why it matters
Neglecting robust web frameworks invites common web flaws, risking customer data exposure and harming the organisation’s reputation.
Operational notes
Standardise on vetted web frameworks, keep them patched, and remove unsupported versions to reduce common web application vulnerabilities.
Implementation tips
- Web development team should select a reputable web application framework: Choose a framework known for its robust security features, such as Django or Ruby on Rails. Research and compare their security capabilities and community support to make an informed choice.
- IT team should configure the framework's security settings: Follow the framework’s security guidelines to properly set up secure defaults. This includes settings for password protection, data encryption, and access controls.
- Project manager should document the framework choice: Record why the specific framework was chosen, highlighting its security benefits. This document should be reviewed and approved by the relevant stakeholders.
- Web development team should integrate security updates: Regularly apply updates and patches provided by the framework's developers. Set up alerts or a process for monitoring when updates are released.
- System owner should provide training on secure coding practices: Ensure all developers understand and follow best practices for secure coding using the selected framework. Organize workshops or training sessions with practical examples.
Audit / evidence tips
-
Ask: the framework selection document: Request the document explaining why the chosen web application framework was selected
Good: includes clear evidence of security considerations as part of the decision
-
Ask: to see the framework configuration: Request to review the current configuration settings of the web application framework
Good: is showing that security settings are aligned with the recommended guidelines
-
Ask: update logs: Request records of updates and patches applied to the web application framework
Good: shows that updates are applied regularly and in a timely manner
-
Ask: training records: Request evidence of training sessions or materials provided to developers
Good: includes regular training sessions with attendance logs or training materials
-
Ask: penetration testing reports: Request any reports from security tests conducted on the web application
Good: includes recent test results with documented fixes for any issues found
Cross-framework mappings
How ISM-1239 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 8.25 | ISM-1239 requires robust web application frameworks to be used for web application development | |
| Annex A 8.26 | ISM-1239 requires robust web application frameworks to be used when developing web applications | |
| Supports (3) | ||
| Annex A 8.28 | Annex A 8.28 requires secure coding principles to be applied to prevent vulnerabilities | |
| Annex A 8.29 | ISM-1239 requires the use of robust web application frameworks to reduce common web application security weaknesses by design | |
| Annex A 8.30 | ISM-1239 requires robust web application frameworks to be used for secure web application development | |