The organisation should establish and maintain a documented web application security testing program covering all
internet-accessible web applications, portals, APIs, authentication endpoints, and administrative interfaces under its
control. The program must maintain an inventory of in-scope systems, including owners, external URLs/domains, data
classification, and criticality, to ensure complete coverage and accountability.
Periodic security testing should be performed to verify protection against major network-based attacks and
OWASP Top 10 vulnerabilities. Testing can include automated vulnerability scanning and risk-based manual validation,
with coverage of access control, authentication and session management, injection, cryptographic protections, security
configuration, vulnerable components, integrity controls, logging and monitoring, and SSRF where applicable. It should verify externally exposed configuration controls, including TLS settings, security headers, and the absence
of exposed debug or administrative functions.
The program should define and document:
-
Minimum testing frequency and triggers, including at least annual testing for all in-scope systems, additional
testing following significant changes (e.g., major releases, infrastructure changes, authentication changes), and
more frequent testing for high-risk systems
- Test results and evidence retention requirements
- Remediation owners and severity-based remediation timeframes
-
Central vulnerability tracking to closure, including evidence of retesting to confirm effective remediation
- Management escalation for overdue items or accepted residual risks
.svg)
