Application Security · AS-Q03

Question: Are web applications protected against common OWASP Top 10 vulnerabilities through validation, encoding, and secure frameworks?

  1. Objective — Why This Matters
    Input validation and output encoding are the first defense lines against injection, XSS, and related attacks. Framework security must be leveraged, not disabled.

  2. Maturity Levels (0 – 5)

0 — Unaware
No input validation or sanitization.
1 — Ad Hoc
Developers add manual checks inconsistently.
2 — Defined
Validation library standardized; output encoding documented.
3 — Managed
Framework security controls enabled and tested.
4 — Integrated
Automated DAST scans validate defenses.
5 — Optimized
Central validation service with continuous coverage metrics.
  1. How to Level Up
From → To Actions
0 → 1 Add basic input checks on user forms.
1 → 2 Adopt common validation libraries (e.g., OWASP ESAPI).
2 → 3 Ensure framework security options (e.g., Spring Security) enabled.
3 → 4 Integrate DAST in CI (e.g., OWASP ZAP).
4 → 5 Centralize validation service and monitor coverage.

  1. People / Process / Technology Enablers
    People – Developers, QA Engineers.
    Process – Secure coding review, test cases for OWASP Top 10.
    Technology – ESAPI, OWASP ZAP, Burp Community.

  2. Evidence Required
    Secure coding checklists, DAST reports, QA sign-off records.

  3. Metrics / KPIs
    • percentage of apps tested for OWASP Top 10 vulnerabilities
    • number of critical issues detected per release
    • average time to remediate DAST findings

  4. Low-Cost / Open-Source Options (MSME)

Purpose Tool Notes
Validation ESAPI / OWASP Java Encoder Reusable libraries for sanitization.
Testing OWASP ZAP / Burp Community Dynamic analysis of web apps.
Reporting DefectDojo Aggregate test findings and track closure.

  1. Common Pitfalls
    Turning off framework security features for speed; no test automation.

  2. Compliance Mapping

Standard Clauses / Notes
ISO 27001 A.8.25 / A.8.28.
NIST CSF 2.0 PR.DS-6 / DE.CM-1.
CERT-In 2022 Web app security requirement.
NIRMATA Scoring AS-Q03 ≥ Level 4 requires automated DAST integration.