Skip to content
Control Stack logo Control Stack
ISM-1849 ASD Information Security Manual (ISM)

Implement OWASP Top 10 in Web Development

Use OWASP Top 10 controls to secure web applications during development.

Proactive Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGuidelines for software developmentapplication securitysecure codingsdlc testingsecure sdlc

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Proactive

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Feb 2023

✏️ Control Stack last updated

19 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for software development

Section

Web application development

Topic

Secure Web Application Design and Development
Official control statement
The OWASP Top 10 Proactive Controls are used in the development of web applications.

Source: ASD Information Security Manual (ISM)

Plain language

When building a website or online service, it is important to use known security practices to protect against common threats. The OWASP Top 10 is a list of the most common web application security risks, and by using it, developers can avoid serious issues like data breaches that could harm customers and damage the company's reputation.

Why it matters

If OWASP Top 10 Proactive Controls are not implemented, web apps are more likely to ship with common flaws, increasing risk of compromise and data loss.

Operational notes

Embed OWASP Top 10 Proactive Controls in requirements, code review checklists and CI testing (SAST/DAST), and track remediation of findings each sprint.

Implementation tips

  • Developers should incorporate secure coding principles: Educate your development team on the OWASP Top 10 and ensure they understand each risk involved. They can start by attending workshops or reviewing resources and examples on how to avoid these vulnerabilities during coding.
  • Managers should facilitate regular security check-ins: Schedule meetings with your development and security teams to discuss progress on implementing OWASP recommendations. Use real-world examples of threats to emphasise the importance and provide clear objectives for incorporating security measures into the development lifecycle.
  • Quality assurance teams should include security testing in their checklists: Add tests for the top 10 OWASP risks as part of the regular testing process for new application updates. This can involve using automated scanning tools or manual checks where testers attempt to exploit known issues.
  • IT teams should establish a secure development environment: Ensure that the development servers and tools are configured to prevent unauthorised access and include security protocols. For example, make sure that only authorised personnel have access to the code repositories.
  • Business owners should prioritise security reviews before launch: Before launching any new web application, conduct a final security review that includes an assessment against the OWASP Top 10. This review can be done by hiring experts or using online tools that offer security assessment services.

Audit / evidence tips

  • Ask: a list of security requirements based on the OWASP Top 10: Request documentation that outlines how each of the top 10 risks is being addressed in the development process

    Good: is a comprehensive document that maps each OWASP risk to specific controls or practices applied

  • Ask: developer training records: Check whether the development team has undergone training on OWASP Top 10 risks

    Good: includes recent training records and a plan for ongoing education

  • Good: would be a detailed report showing tests performed, findings, and remediation actions taken

  • Ask: evidence of management involvement in security review meetings

    Good: includes regular reviews with clear outcomes on improving web application security

  • Good: is logs showing controlled and monitored accesses, with any irregular access being investigated

Cross-framework mappings

How ISM-1849 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Supports (2)
Annex A 8.26 ISM-1849 requires the use of OWASP Top 10 Proactive Controls as a practical security baseline during web application development
Annex A 8.28 Annex A 8.28 requires secure coding principles to be applied to prevent vulnerabilities in developed software
Related (1)
Annex A 8.25 Annex A 8.25 requires secure development lifecycle rules to be established and applied

Mapping detail

Mapping

Direction

Controls