Question OPAP-09

Describe or provide a reference to how you monitor for and protect against common web application security vulnerabilities (e.g., SQL injection, XSS, XSRF, etc.).

Standard Guidance

Ensure that all elements of OPAP-09 are clearly stated in your response.

Answering "NO"

Ensure that all elements of OPAP-09 are clearly stated in your response.

Answering "YES"

Ensure that all elements of OPAP-09 are clearly stated in your response.

Reason for Question

The adherence to secure coding best practices better positions a vendor to maintain the CIA triad. Use the knowledge of this response when evaluating other vendor statements, particularly those focused on development and the protection of communications. Vendors should be monitoring for and addressing these issues in their products.

Follow-Up Inquiries

If information security principles are not designed into the product life cycle, point the vendor to OWASP's Secure Coding Practices - Quick Reference Guide at https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide (opens in a new tab)
Inquire about the tools a vendor uses, the interval at which systems are monitored/mitigated, and who is responsible for the process/procedure in place for this monitoring.

HECVAT Pro Advice

[Add expert insights and best practices]

Implementation Tips

[Add practical steps for SME SaaS vendors]

FAQ

[Add common questions related to this HECVAT item]

Resources

[Add links to relevant articles or tools]