ISM-1849 policy ASD Information Security Manual (ISM)

Implement OWASP Top 10 in Web Development

Use OWASP Top 10 controls to secure web applications during development.

Proactive NC OS P ASD Information Security ManualGuidelines for software development application security secure coding sdlc testing secure sdlc

record_voice_over

Plain language

When building a website or online service, it is important to use known security practices to protect against common threats. The OWASP Top 10 is a list of the most common web application security risks, and by using it, developers can avoid serious issues like data breaches that could harm customers and damage the company's reputation.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Proactive

Classifications

NC, OS, P, S, TS

ISM last updated

Feb 2023

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for software development

Section

Web application development

Topic

Secure Web Application Design and Development

Official control statement

The OWASP Top 10 Proactive Controls are used in the development of web applications.

policy ASD Information Security Manual (ISM) ISM-1849

priority_high

Why it matters

If OWASP Top 10 Proactive Controls are not implemented, web apps are more likely to ship with common flaws, increasing risk of compromise and data loss.

settings

Operational notes

Embed OWASP Top 10 Proactive Controls in requirements, code review checklists and CI testing (SAST/DAST), and track remediation of findings each sprint.

02 - Implement

build

Implementation tips

Developers should incorporate secure coding principles: Educate your development team on the OWASP Top 10 and ensure they understand each risk involved. They can start by attending workshops or reviewing resources and examples on how to avoid these vulnerabilities during coding.
Managers should facilitate regular security check-ins: Schedule meetings with your development and security teams to discuss progress on implementing OWASP recommendations. Use real-world examples of threats to emphasise the importance and provide clear objectives for incorporating security measures into the development lifecycle.
Quality assurance teams should include security testing in their checklists: Add tests for the top 10 OWASP risks as part of the regular testing process for new application updates. This can involve using automated scanning tools or manual checks where testers attempt to exploit known issues.
IT teams should establish a secure development environment: Ensure that the development servers and tools are configured to prevent unauthorised access and include security protocols. For example, make sure that only authorised personnel have access to the code repositories.
Business owners should prioritise security reviews before launch: Before launching any new web application, conduct a final security review that includes an assessment against the OWASP Top 10. This review can be done by hiring experts or using online tools that offer security assessment services.

03 - Audit

fact_check

Audit / evidence tips

AskA list of security requirements based on the OWASP Top 10: Request documentation that outlines how each of the top 10 risks is being addressed in the development process GoodIs a comprehensive document that maps each OWASP risk to specific controls or practices applied
AskDeveloper training records: Check whether the development team has undergone training on OWASP Top 10 risks GoodIncludes recent training records and a plan for ongoing education
GoodWould be a detailed report showing tests performed, findings, and remediation actions taken
AskEvidence of management involvement in security review meetings GoodIncludes regular reviews with clear outcomes on improving web application security
GoodIs logs showing controlled and monitored accesses, with any irregular access being investigated

04 - Mappings

link

Cross-framework mappings

How ISM-1849 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
handshake Supports (2) expand_less
Annex A 8.26	ISM-1849 requires the use of OWASP Top 10 Proactive Controls as a practical security baseline during web application development
Annex A 8.28	Annex A 8.28 requires secure coding principles to be applied to prevent vulnerabilities in developed software
link Related (1) expand_less
Annex A 8.25	Annex A 8.25 requires secure development lifecycle rules to be established and applied

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.