WEB-12: Web Browser Security

There is no evidence of a capability to ensure web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers to protect both the web application and its users.

C|P-CMM1 is N/A, since a structured process is required to ensure web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers to protect both the web application and its users.

C|P-CMM2 is N/A, since a well-defined process is required to ensure web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers to protect both the web application and its users.

Web Security (WEB) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Utilize Web Application Firewalls (WAFs) to provide defense-in-depth protection for application-specific threats. o Restrict inbound traffic to authorized devices on certain services, protocols and ports.

• A Validated Architecture Design Review (VADR) evaluates Internet-facing design criteria for secure practices and conformance with requirements for applicable statutory, regulatory and contractual controls to determine if the system/application/service is designed, built and operated in a secure and resilient manner.
• A change notification capability exists to scan web pages for changes, which are reviewed by appropriate personnel to determine if changes are authorized or unauthorized.
• Ongoing content reviews are performed to ensure web pages do not contain non-public information.
• Security engineering, or a similar function, ensures that Internet-facing devices conform to industry-recognized standards for configuration hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides) for test, development, staging and production environments. This includes creating special hardening requirements for High-Value Assets (HVAs).
• An Identity & Access Management (IAM) function, or similar function, enables the implementation of identification and access management controls for Internet-facing technologies.
• Technologies are configured to implement Strong Customer Authentication (SCA) for consumers to prove their identity.
• Administrative processes exist and technologies are configured to provide Internet-facing individuals (e.g., customers, users, clients, etc.) with clear and precise information about cookies, in accordance with regulatory requirements for cookie management.
• An IT Asset Management (ITAM) function, or similar function, categorizes network devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data.
• Boundary protections:

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to ensure web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers to protect both the web application and its users.

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to ensure web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers to protect both the web application and its users.