Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-15-2 – The cybersecurity requirements for external web applications must be implemented.
Understanding the Requirement
This control requires an organization to implement a defined set of cybersecurity protections for any externally-facing web application so risks from the public internet are reduced to an acceptable level. In practice an SMB must adopt both procedural controls and technical controls — for example documenting external web application security procedures, deploying perimeter defenses such as a Web Application Firewall (WAF), enforcing strong transport (HTTPS), adopting multi-tier or segmented application architectures, and requiring multi-factor authentication — all captured in the organization's Essential Cybersecurity Controls (ECC – 2 : 2024) procedures.
Technical Implementation
- Inventory and classify external web applications. Maintain a registry of every externally accessible app, its owner, hosting location, technology stack, and data sensitivity. Use this inventory to prioritize controls, patch schedules, and testing cadence.
- Deploy a Web Application Firewall (WAF). Configure a WAF (cloud-managed or on-prem) to block common web attacks (OWASP Top 10), enforce rate limits, and provide logging for suspicious traffic. Tailor rules to your application behavior to reduce false positives and review WAF logs weekly.
- Enforce secure transport (HTTPS) and secure protocols. Use TLS 1.2+ with strong cipher suites, HSTS headers, and automated certificate management (ACME/Let’s Encrypt or managed certs). Disable insecure protocols and regularly scan for TLS misconfigurations.
- Adopt a multi-tier architecture and network segmentation. Separate web servers, application servers, and data stores on different network segments or VPC subnets. Limit inbound and lateral access with firewall rules and allow only required ports and services between tiers.
- Require Multi-Factor Authentication (MFA) for user access. Enforce MFA for all administrative and developer access, and for any user-facing login where sensitive data or administrative features exist. Where possible, use phishing-resistant methods (hardware keys or FIDO2).
- Document secure user usage policy and integrate into procedures. Publish concise use and password policies for users of external apps, define session timeout and account lockout thresholds, and include them in your external web applications security procedures. Ensure stakeholders (Dev, Ops, Helpdesk) know their responsibilities.
- Implement a testing and patching routine. Schedule regular vulnerability scans, authenticated scans, and at least annual or release-triggered web application penetration tests. Track findings, assign remediation tasks, and apply security updates promptly based on risk.
Example in a Small or Medium Business
Greenline Logistics is an SMB with a customer portal and an online booking API. They start by creating a simple inventory listing both the portal and the API, noting owners and data types handled. The IT lead contracts a cloud WAF service and applies managed rules to block SQL injection and common bot traffic; they tune the WAF over two weeks to reduce false positives. All external endpoints are moved to HTTPS with automated certificate renewal and HSTS enabled, and the company disables older TLS versions on their load balancer. Developers rework the deployment so web servers sit in a public subnet while application servers and databases sit in private subnets — firewall rules only allow the web tier to talk to the app tier on required ports. Admin and developer accounts are enforced with MFA, and user accounts with elevated permissions require hardware tokens. Finally, Greenline documents these measures in a short external web applications security procedure, schedules quarterly vulnerability scans, and assigns an owner to review WAF logs and patch tickets weekly. This combination of policy, architecture, and operational tasks brings their external apps in line with the control's intent.
Summary
Meeting Control 2-15-2 requires a mix of documented procedures and concrete technical controls: inventory and governance to assign responsibility; WAFs, HTTPS, and MFA to harden access and transport; and multi-tier segmentation plus routine testing and patching to reduce attack surface and exposure. For SMBs, the practical path is to adopt these measures incrementally — prioritize high-risk apps, automate certificate and patch management where possible, and codify responsibilities in a short external web applications security procedure so that the protections remain effective and sustainable.
