Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-15-1 – Cybersecurity requirements for external web applications must be defined, documented and approved.
Understanding the Requirement
This control requires an SMB to formally define what security controls, configurations and operational practices apply to any externally facing web application, to document those requirements, and to obtain executive approval. As part of the Essential Cybersecurity Controls (ECC – 2 : 2024), the focus is on ensuring risk-based technical safeguards (for example WAF, MFA, secure protocols), secure development and testing practices, operational hygiene (backups, port/service screening), and an approved policy that assigns ownership and enforcement responsibility.
Technical Implementation
-
Create a concise External Web Application Security Requirements document and get executive sign-off: list required controls (WAF, HTTPS/TLS, MFA, backups, vulnerability scanning, port/service review), define who owns the application, acceptance criteria for deployment, and a change control process. Keep the document versioned in a central place (e.g., secure document repository) and require sign-off by the organization head or their deputy.
-
Deploy perimeter and runtime protections: implement a Web Application Firewall (cloud-managed or appliance) with OWASP rulesets and tuned exceptions. Enforce HTTPS for all traffic with certificate management (automated renewal). Where possible, use a managed CDN/WAF service to reduce operational overhead for SMBs.
-
Enforce strong access and authentication controls: require Multi-Factor Authentication (MFA) for all administrative and developer access to the application and its deployment pipeline. Define role-based access controls (RBAC) and document acceptable user behavior in a secure usage policy that is communicated to all users.
-
Adopt secure development and testing practices: mandate development and update standards (secure coding guidelines, dependency/upstream patching policy) and require static/dynamic testing before production (SAST/DAST or managed vulnerability scans). Keep test results and remediation tickets as part of the application’s security record.
-
Operational hygiene: schedule regular vulnerability assessments (application-specific scans and authenticated scans), perform port and service discovery to detect unnecessary open ports or unused protocols, and maintain a documented remediation timeline. Use simple automated scripts or lightweight tools to scan weekly or monthly depending on exposure.
-
Backups and logging: configure regular backups of application data and critical configuration stored in secure, off-site locations; retain and protect backup logs. Enable logging and centralized collection for web access and WAF events, and review logs on a regular cadence aligned with your incident response process.
Example in a Small or Medium Business
Acme Marketing, a 40-employee SMB, runs a customer portal and a marketing site that are publicly accessible. The IT manager drafts an External Web Application Security Requirements document that lists mandatory controls: cloud WAF with OWASP rule set, TLS 1.2+ with automated certificate renewals, MFA for admin consoles, weekly vulnerability scans, monthly port/service reviews, secure coding standards, and daily encrypted backups stored in a separate cloud account. The document assigns application ownership to the IT manager and requires the CEO’s approval before any new public-facing app goes live. The development team updates their CI/CD pipeline to fail deployments when SAST or DAST scans report high-severity findings. The IT manager configures a managed WAF and CDN to reduce operational burden, enforces MFA using the company identity provider, and schedules automated vulnerability scans every Friday. Backup jobs are monitored with a simple dashboard and logs are archived for 90 days; any critical scan results trigger a 72-hour remediation SLA. The CEO signs off on the policy at the quarterly security review, and the organization publishes the approved requirements internally so product owners and contractors know the pre-deployment checklist.
Summary
Defining, documenting and approving cybersecurity requirements for external web applications combines a clear, signed policy with practical technical controls: perimeter protections (WAF, HTTPS), authentication (MFA, RBAC), secure development/testing standards, operational hygiene (scans, port reviews) and backups/logging. For SMBs, codify these requirements into a simple, versioned document that assigns ownership and requires executive approval, then implement lightweight managed services and automated checks that meet the documented acceptance criteria. This approach ensures accountability, reduces exposure, and makes security a repeatable part of launching and operating public web applications.
