Posted on 11/25/2018 , Alexander Ananiev,
For more details, please refer to our certificate management document.
Best practices list:
- Restrict certificate validity to short periods of time
- Automate certificate renewal/refresh
- Implement certificate validation/revocation mechanism (OSCP)
- Do not use self-signed certs
- Do not use wildcard certs
- Establish and maintain a complete certificate inventory—you must know where each certificate is deployed, its expiration, etc.
- Run frequent endpoint/port scans to detect self-signed and other out-of-policy certificates.
- Go beyond HTTPS endpoints—also scan TCP endpoints, certs on disk, etc.
- Minimize trust between system components, don’t blindly trust all certs/all CAs
- Disable trusting to all public CAs by default
- Use the internal CA for internal communications/calls
- Implement certificate pinning
- Implement a comprehensive approach to protecting private keys (passwords, keep the keys separate from public certificates, do not keep keys in the same git repo with the code)
- Keep certificates outside of docker containers, put them on volumes where they can be easily updated
Posted on 11/08/2018 , Alexander Ananiev,
We're incorporating more security reporting/compliance features into DPBuddy and we're also working on a new product related to certificate management.
As part of this work, we're attempting to compile and aggregate best practices related to certificates and key management.
A lot of it is just common sense, however, as we all know, even simple steps require some effort from developers and security professionals.
We're hoping that our document can be used as a checklist for everyone involved with the application security. We're also planning to automate some if not all of these guidelines in the new version of DPBuddy and in our upcoming new product.
Please review our security best practices document and be sure to register for updates.