Gunnar Assmy - Fotolia
The Redwood Shores, Calif.-based security vendor recently augmented its SSL Labs non-commercial SSL security resources with the release of a free public API to help enterprises test servers for SSL vulnerabilities.
Unlike Qualys' SSL Pulse dashboard, which tests SSL on about 200,000 of the worlds most highly trafficked websites, the SSL Labs API can be used to test any website and also works on multiple servers.
"SSL Labs tests public HTTP service, and if you go there, it tests one server at a time. While that's fine, we've had requests from people who have more than one server," said Ivan Ristic, director of engineering at Qualys. "If you have more than one server, it's difficult to keep track of all of them."
The API is free for anyone to use, but Qualys said it is working specifically with organizations such as large infrastructure providers, domain name registrars and certification authorities to better monitor their customers through the API.
Ristic said he hopes that these providers will inform their customers if the security is not adequate.
"We had an API internally," Ristic said, "but we polished it a bit, documented it and published it for everyone to use for free to test their own infrastructure.
In February, Frank Breedijk, the lead developer and author of vulnerability scanner Seccubus, wrote a blog post praising the release of the API and announced it would now be supported in the Seccubus scanner.
"[SSL Labs is] the de facto gold standard when it comes to judging SSL setups," Breedijk wrote.
Information security consultant Scott Helme of Pentest Limited, a UK-based cybersecurity firm, is also a long-time fan of the SSL Labs services. Last year, he posted a walkthrough for achieving an A+ grade on SSL configuration.
"The public API on the Qualys SSL test should further enable system administrators to keep a better check on their SSL/TLS configurations by allowing proper automated testing of their infrastructure," Helme said about the development. "This will allow any errors in configuration to be spotted and resolved more quickly and will allow much easier monitoring on larger estates, which can only be a good thing."
Grading security of SSL configurations
The SSL grading test is designed to show how the service is configured. The test runs through hundreds of criteria, though Ristic points out that not every dimension is equally important. Each dimension affects the grade, which is a letter from A to F.
A grade of B is acceptable in some cases, Ristic said, because in a large organization with a large user base there are users who are running legacy programs or devices. If cutting off these users is not realistic for business reasons, then some devices must be accepted. It is perfectly sensible, according to Ristic, to accept certain risks.
"If we give you an A, that means that you're passing and you have decent configuration and good security," he said. "Of course, if we give you an F, that means there's something seriously wrong, and then you have to work on it. You look at the results and figure out what's wrong and fix it."
The grading criteria are always evolving, Ristic said, since the environment has been changing constantly since its adoption in 2009.
"It's always [getting] stricter," Ristic said about the grading system. "We never relax requirements."
Ristic warned, however, that the grade is not the final say on security. A heavy emphasis on "perfect security" actually degrades performance.
"If you increase the size of your server keys, the connections to your server become slower," Ristic said. "Most sites do not need military-grade security."
Find out how the new PCI DSS 3.1 update will address SSL vulnerabilities
Learn more about the Poodle vulnerability and its effect on SSL/TLS security