What is true regarding public-facing web applications and controls?

• A. Public-facing web applications require no additional controls.
• B. Public-facing web applications must be hosted on isolated networks with no external access.
• C. Public-facing web applications are also subject to additional controls to address ongoing threats and ensure secure coding practices.
• D. Public-facing web applications bypass secure coding guidelines.

Answer: (C)

Public-facing web applications are exposed to the Internet and face ongoing external threats, so they require additional, layered controls implemented throughout the development and operation lifecycle. The best choice reflects that these apps must adhere to secure coding practices and be supported by ongoing defenses—such as secure SDLC processes, code reviews, regular vulnerability testing, strong authentication and session management, input validation, encryption in transit, and protections like a web application firewall. This approach addresses evolving threats and helps prevent common flaws and misconfigurations that public apps are often targeted for. In contrast, simply assuming no extra controls, or insisting they must be isolated from external access, or bypassing secure coding guidelines, would leave public-facing applications vulnerable and does not align with secure PCI practices.