Web Security
Protect web applications and services from attacks.
9 of 9 frameworks cover this control
Framework Mappings
How Web Security maps to each of the 6 cybersecurity frameworks tracked by ControlMap.
| Framework | Status | Control IDs |
|---|---|---|
| NIST CSF 2.0 | Covered | PR.IR-01 |
| ISO 27001 | Covered | A.8.23 A.8.26 |
| CIS v8 | Covered | CIS 9.5 CIS 16.4 |
| SOC 2 | Covered | CC6.6 CC6.8 |
| PCI DSS | Covered | 6.4.1 6.4.2 6.4.3 |
| CMMC | Covered | SC.L2-3.13.1 |
| 800-53 | Covered | SC-7 SI-3 |
| HIPAA | Covered | §164.312(e)(1) |
| GDPR | Covered | Art.32(1)(b) |
About Web Security
Web Security is a cybersecurity control in the Protect domain. Protect web applications and services from attacks. Web security protects internet-facing applications and services from common attack vectors including cross-site scripting (XSS), SQL injection, cross-site request forgery (CSRF), and distributed denial-of-service (DDoS) attacks. Implementation involves deploying web application firewalls (WAFs), implementing content security policies (CSP), enforcing HTTPS across all web properties, and conducting regular web application penetration testing. Organizations should also implement secure headers, manage TLS certificates proactively, and maintain an inventory of all publicly accessible web applications and APIs.
This control is recognized by 9 of the 6 major frameworks: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR. It has full coverage across all ${FW_KEYS.length} frameworks.