WEB-09: Validation & Sanitization

There is no evidence of a capability to ensure all input handled by a web application is validated and/ or sanitized.

C|P-CMM1 is N/A, since a structured process is required to ensure all input handled by a web application is validated and/ or sanitized.

C|P-CMM2 is N/A, since a well-defined process is required to ensure all input handled by a web application is validated and/ or sanitized.

Web Security (WEB) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Utilize Web Application Firewalls (WAFs) to provide defense-in-depth protection for application-specific threats. o Restrict inbound traffic to authorized devices on certain services, protocols and ports.

• A Validated Architecture Design Review (VADR) evaluates Internet-facing design criteria for secure practices and conformance with requirements for applicable statutory, regulatory and contractual controls to determine if the system/application/service is designed, built and operated in a secure and resilient manner.
• A change notification capability exists to scan web pages for changes, which are reviewed by appropriate personnel to determine if changes are authorized or unauthorized.
• Ongoing content reviews are performed to ensure web pages do not contain non-public information.
• Security engineering, or a similar function, ensures that Internet-facing devices conform to industry-recognized standards for configuration hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides) for test, development, staging and production environments. This includes creating special hardening requirements for High-Value Assets (HVAs).
• An Identity & Access Management (IAM) function, or similar function, enables the implementation of identification and access management controls for Internet-facing technologies.
• Technologies are configured to implement Strong Customer Authentication (SCA) for consumers to prove their identity.
• Administrative processes exist and technologies are configured to provide Internet-facing individuals (e.g., customers, users, clients, etc.) with clear and precise information about cookies, in accordance with regulatory requirements for cookie management.
• An IT Asset Management (ITAM) function, or similar function, categorizes network devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data.
• Boundary protections:

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to ensure all input handled by a web application is validated and/ or sanitized.

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to ensure all input handled by a web application is validated and/ or sanitized.