XSS

The Content Security Program of the Motion Picture Association (MPA) specifies security requirements in three areas in its Content Security Best Practices Common Guidelines (Version 4.10 of February 8, 2022):

• Management System
• Physical Security
• Digital Security

In the requirements for the management system, vulnerability scans and external penetration tests are to be carried out in number MS-2.1 in the risk management category. There a reference is made to the requirements DS-1.8 and DS-1.9.

The requirement DS-1.9 (Firewall / WAN / Perimeter Security) requires the implementation of annual penetration tests of all external IP addresses and systems. DS-1.8 also requires monthly vulnerability scans.

Furthermore, one also finds the requirement to carry out web application penetration tests (DS-15.9, Client Portal). Here are some more detailed requirements:

• The pentest should also include any APIs.
• The test should be carried out both with and without valid access data.
• The typical guidelines such as the OWASP publications should be adhered to so that XSS, SQL injections, and CSRF can also be found.

It is generally recommended that penetration testing is performed by an independent third party.