Automated SSL Testing
While it is important to utilize tools like DAST, SAST, and a vulnerable dependency checker, and equally important part of the user's security often revolves around the configuration of HTTPS.
It's great that the openssl library was updated, but if it's still configured to accept old/weak ciphers or protocols data can be at risk. Similarly if a certificate has weaknesses, or is about to expire, that can also have significant impact.
There are a few different open source HTTPS scanning tools, which can automate the process of checking for vulnerable or weak ciphers and protocols. One example is the underlying scanning tool that powers the popular SSL Labs test: https://github.com/ssllabs/ssllabs-scan/
This could certainly be run on production as part of a broader production test suite, but it could also be relevant for testing against development environments if their configuration would mirror production. (Or if the code directly handles HTTPS requests, as opposed to say a load balancer)
Proposed flow:
- Run the SSL testing tool every day as a scheduled CI job, or part of a review app CI flow
- Search for ciphers marked
weak
or protocol vulnerabilities - Detect expiring certificates
- Flag these in the output, and potentially fail the test