Implement OWASP Top 10 in Web Development
Use OWASP Top 10 controls to secure web applications during development.
Plain language
When building a website or online service, it is important to use known security practices to protect against common threats. The OWASP Top 10 is a list of the most common web application security risks, and by using it, developers can avoid serious issues like data breaches that could harm customers and damage the company's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentSection
Web application developmentOfficial control statement
The OWASP Top 10 Proactive Controls are used in the development of web applications.
Why it matters
If OWASP Top 10 Proactive Controls are not implemented, web apps are more likely to ship with common flaws, increasing risk of compromise and data loss.
Operational notes
Embed OWASP Top 10 Proactive Controls in requirements, code review checklists and CI testing (SAST/DAST), and track remediation of findings each sprint.
Implementation tips
- Developers should incorporate secure coding principles: Educate your development team on the OWASP Top 10 and ensure they understand each risk involved. They can start by attending workshops or reviewing resources and examples on how to avoid these vulnerabilities during coding.
- Managers should facilitate regular security check-ins: Schedule meetings with your development and security teams to discuss progress on implementing OWASP recommendations. Use real-world examples of threats to emphasise the importance and provide clear objectives for incorporating security measures into the development lifecycle.
- Quality assurance teams should include security testing in their checklists: Add tests for the top 10 OWASP risks as part of the regular testing process for new application updates. This can involve using automated scanning tools or manual checks where testers attempt to exploit known issues.
- IT teams should establish a secure development environment: Ensure that the development servers and tools are configured to prevent unauthorised access and include security protocols. For example, make sure that only authorised personnel have access to the code repositories.
- Business owners should prioritise security reviews before launch: Before launching any new web application, conduct a final security review that includes an assessment against the OWASP Top 10. This review can be done by hiring experts or using online tools that offer security assessment services.
Audit / evidence tips
-
Aska list of security requirements based on the OWASP Top 10: Request documentation that outlines how each of the top 10 risks is being addressed in the development process
Goodis a comprehensive document that maps each OWASP risk to specific controls or practices applied
-
Askdeveloper training records: Check whether the development team has undergone training on OWASP Top 10 risks
Goodincludes recent training records and a plan for ongoing education
-
Goodwould be a detailed report showing tests performed, findings, and remediation actions taken
-
Askevidence of management involvement in security review meetings
Goodincludes regular reviews with clear outcomes on improving web application security
-
Goodis logs showing controlled and monitored accesses, with any irregular access being investigated
Cross-framework mappings
How ISM-1849 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| Annex A 8.26 | ISM-1849 requires the use of OWASP Top 10 Proactive Controls as a practical security baseline during web application development | |
| Annex A 8.28 | Annex A 8.28 requires secure coding principles to be applied to prevent vulnerabilities in developed software | |
| link Related (1) expand_less | ||
| Annex A 8.25 | Annex A 8.25 requires secure development lifecycle rules to be established and applied | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.