Since the public release of the Qualys SSL Labs API, it’s opened up an excellent data source that could potentially enable someone to continuously assess all of their internet-facing websites (a very useful tool for any IT Security team).
Firstly, fixing security settings for external websites in a large company can be tricky. You need to find the right people, then reach them, then get everything planned, scheduled and tested. If you have multiple sites, there’s also a good chance that each site has a completely different set of people involved.
Secondly, I’ve worked with a few different vulnerability and ASV scanning solutions – they all push out the right data (though they all seem to have horribly out-of-date root CA stores), but they mostly don’t give you a format that isn’t very conducive to sharing – I’ve had many people ask (“what exactly does this SSL vulnerability in this report mean?”).
This means that instead of quickly throwing a very simple-to-understand “green is good, red is bad” report, I first need to sit down, translate all the results and then write it up again. This is okay for an ad-hoc review, but not something I want to be constantly manually churning out. I’m a strong advocate of continuous scanning (whether it be for vulnerabilities or SSL server configs) – so I decided to see what I could do in my spare time. With that landscape in my mind, I ended up looking to achieve two things:
- Create a high-level dashboard showing the state of SSL security across a group of websites.
- Assess each website’s SSL config against a configurable “best-practice” configuration standard.
This isn’t ready and I’ve only worked on this infrequently lately – but I’d thought I’d write it up so it doesn’t get lost. It’s just screenshots for now – the code is ugly/uncommented and the detailed assessment is nowhere near finished. There’s also a requirement of anyone using the API to include links back to Qualys SSL Labs, so I’ll need to do that before any sort of code release. My UI skills are a bit lacking – but I think it looks nice enough for now (thanks Chart.JS). The program creating all of this is a C# application that talks to the Qualys API, builds an internal database holding all the scan results, and then runs the data through a reporting module which spits out some HTML pages.
For this post, I loaded the subdomains of badssl.com – it’s a site that has a number of subdomains with different SSL configurations (good & bad) to show how SSL clients react to different situations. The following subdomains were loaded into my program:
A draft of the front page – I’ve got a functioning chart (following the whole “green is good, red is bad” principle) as well as a draft “plain-English” explanation of how people should react to the grades.
The detailed assessment page. Only really looking at cipher configurations at the moment – but the plan is to implement something for certificate trust & vulnerability security as well. This shows you the currently utilised cipher list on the left (as well as what order each cipher is in the best-practice list loaded into the tool.) – The right hand side shows the best practice list in its proper order.
The remediation section – essentially trying to boil this down into a set of simple steps to follow – I haven’t thought too deeply into how to set this out – especially the last “re-order everything” line.