rdegraaf
commented
3 months ago I since learned that there are in fact TLS checks in Web Profile. My bad.
Closed rdegraaf closed 3 months ago
rdegraaf
commented
3 months ago I since learned that there are in fact TLS checks in Web Profile. My bad.
It came to my attention that the Web Profile WG decided to not include a check for TLS termination because "Cloud will cover it". However, the Cloud Profile did not. Such a check should be added to at least one of the two places.
If we choose to add such a check to Cloud Profile, keep in mind that there are many ways to terminate TLS within a Cloud environment. For AWS, the main options are:
The first three allow the operator to select from a handful of different TLS termination policies. Software running in a VM can use whatever TLS configuration it wants. There are also a number of AWS services that can be exposed to the Internet as part of an application that don't allow the operator to configure TLS at all; these tend to use fairly permissive TLS configurations in order to support whatever the currently minimum client requirements Amazon has chosen to accept.
I don't know exactly what the options are in Azure of GCP but they have similar functionality.
So if we add TLS checks to Cloud Profile, there will be at least three rules for AWS (one each for load balancers, API Gateway, and CloudFront) and something similar for the other platforms. There's no easy way from the perspective of Cloud Profile to locate all Internet-exposed TLS endpoints within VMs in a Cloud environment; it can certainly be done but the investigation procedure would be fairly involved (for AWS: enumerate Security Groups, determine which allow connections from the Internet, scan all exposed ports using some other tool to determine which have TLS listeners, then enumerate each such port's TLS configuration and review to ensure compliance with factors that will need to be enumerated somewhere.
Alternately, we could add a TLS endpoint check to Web Profile (and Mobile Profile too, I guess): once the assessor knows what endpoints the application is using, scan them and review to ensure compliance with factors that still need to be enumerated somewhere.
Or we could do both: have Cloud Profile scan the specific services that are easy to scan (leaving out the VM enumeration parts) and have the other Profiles check endpoints that they know to be in use.