About this program
TLS configuration + cert lifecycle — every breach starts with somebody not noticing a cert expired or a weak cipher enabled.
Risks addressed
- High Expired cert breaks customer-facing service
- High Weak ciphers (TLS 1.0 / RC4) downgraded by attacker
- Critical Private keys exposed in code repos
Controls (7)
-
Inventory of all certificates + owners
HighInventory of all certificates + owners
How to test + evidence
Testing procedure: Cert management tool tracks every public + internal cert with owner + expiry.
Evidence to collect: Cert inventory export.
-
Auto-renewal where possible
HighAuto-renewal where possible
How to test + evidence
Testing procedure: ACME (Let's Encrypt / equivalent) or vendor automation renews 30+ days before expiry.
Evidence to collect: Renewal automation evidence.
-
Expiry alerts at 30 + 14 + 7 days
HighExpiry alerts at 30 + 14 + 7 days
How to test + evidence
Testing procedure: Monitoring fires alerts at multiple thresholds.
Evidence to collect: Alert config + last alert.
-
Only TLS 1.2+ enabled
CriticalOnly TLS 1.2+ enabled
How to test + evidence
Testing procedure: No TLS 1.0 / 1.1. Use ssllabs.com / equivalent scan.
Evidence to collect: SSL Labs report.
-
Strong ciphers + perfect forward secrecy
HighStrong ciphers + perfect forward secrecy
How to test + evidence
Testing procedure: AEAD ciphers only; ECDHE key exchange.
Evidence to collect: Cipher suite config.
-
HSTS enabled on public sites
MediumHSTS enabled on public sites
How to test + evidence
Testing procedure: Strict-Transport-Security header with includeSubDomains + preload.
Evidence to collect: curl -I sample.
-
Private keys vaulted
HighPrivate keys vaulted
How to test + evidence
Testing procedure: No keys in repos / on developer laptops.
Evidence to collect: Secret scan + vault config.