This AssetView Dashboard will enable you to be more pro-active in your SSL/TLS MGMT from your Qualys Vulnerability Management scans. Get a quick, easy glance to KPIs for SSL/TLS MGMT across different technologies.
SSL/TLS Vulnerabilities & Certificate Management I
Administrators have so many responsibilities that often overlooked server SSL/TLS configurations lead to insecure servers. These misconfigurations constitute a significant vector for breaches and downtime at major organizations since they don't have a precise inventory of certificates, expiration dates, type of certificates and number of CAs. Visibility into these KPIs is critical for any organization.
Qualys offers CertView Free for all your external IPs, to enable organizations asses there SSL/TLS configurations without having to become SSL experts. It also allows you to quickly remediate cipher suites, protocols and key exchange parameters on the underlying endpoints. CertView identifies out-of-policy certificates with weak signatures or key-lengths and shows you how many certificates were issued by Certificate Authorities (CAs) that have been vetted and approved per your policy and how many certificates are self-signed or were issued by CAs that have not been authorized to issue certificates in your environment. Controlling the number of CAs that can issue certificates to your environment helps control the chain of trust for your domain, preventing man-in-the-middle and spoofing attacks.
Recent updates in the major browsers, led by Chrome, flag sites without an SSL certificate as "Not Secure," leading anyone doing business on the Internet to install an SSL certificate on their site. All organizations rely on SSL and certificates to protect their business. But most organizations don't have any visibility into their certificates, resulting in unplanned outages due to expired certificates. When the auditors say there are certificates and TLS related risks that need mitigated, it's difficult to remediate because you don't know where these certificates are or whether the underlying TLS configuration is weak or strong. CertView not only helps prevent expired certificates from interrupting critical business functions, but CertView also tells you how strong or weak the underlying configuration is through simple one letter grades. For weaker grades, CertView also tells you what you can do to improve the grade, and therefore the configuration and thus the security of the entire system.
For more information on CertView see the following 2 links and contact your TAM:
Dashboard Demonstration Images:
* * * Requirements * * *
The following Widgets Require Tags to be created:
Example: SSL/TLS Certificate QIDs, detection results example.
How to import the SSL Certificates search list from the library:
A static list of QIDS for detecting SSL certificates on target hosts and calculating SSL grades.
SSL Server Information Retrieval
SSL Server Allows Anonymous Authentication Vulnerability
SSL Certificate - Expired
SSL Certificate - Future Start Date
SSL Certificate - Self-Signed Certificate
SSL Certificate - Subject Common Name Does Not Match Server FQDN
SSL Certificate - Server Public Key Too Small
SSL Certificate - Improper Usage Vulnerability
SSL Certificate - Signature Verification Failed Vulnerability
SSL Certificate - Will Expire Soon
Webmin Static SSL Key Vulnerability
OpenSSL ASN.1 Parsing Vulnerabilities
OpenSSL RSA Timing Attack Vulnerability
SSL Insecure Protocol Negotiation Weakness
TLS Protocol Session Renegotiation Security Vulnerability
Deprecated Public Key Length
SSL/TLS Compression Algorithm Information Leakage Vulnerability
SSL Certificate will expire within the next six months
SSL/TLS use of weak RC4 cipher
OpenSSL Multiple Remote Security Vulnerabilities
SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)
SSL/TLS Server Factoring RSA Export Keys (FREAK) vulnerability
SSL Server Diffie-Hellman Weak Encryption Vulnerability (Logjam)
SSL Server default Diffie-Hellman prime information
SSL/TLS Server supports TLS_FALLBACK_SCSV
Debian OpenSSL Package Random Number Generator Weakness
X.509 Certificate MD5 Signature Collision Vulnerability
TLS Secure Renegotiation Extension Support Information
SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST)
OpenSSL Memory Leak Vulnerability (Heartbleed Bug)
Authenticated Certificate Retrieval - Information
SSL Certificate - Information
HTTP Strict Transport Security (HSTS) Support Detected
POD - 1 - Apply Tags to Organize Your Assets
POD - 2 - Apply Tags to Organize Your Assets
POD - 3 - Apply Tags to Organize Your Assets
Additional AssetView Dashboards: