LAST UPDATED Jan 20, 2022
It’s January, and most of us are hitting the gym, eating salads, and resolving to take better care of our health. This year, we’d encourage you to add “improve digital health.” We’re telling ThreatX customers to make sure their new year’s resolutions include good digital hygiene, such as updating cipher suites and certificates.
Updating certificates
It’s a good time to make sure your certificates are not only up to date, but are also part of a mature rotation/change management policy.
We recommend checking:
- Your certificate expiration
- Where the keys are backed-up
- That you are following a least-privileged access model – where only those who need access to certificates have access, and it is audited
Updating ciphers
Ensure your systems only accept strong ciphers. If possible, AES-GCM mode should be used over the AES-CBC. In addition, upgrade to support TLS 1.3: only around 25% of web servers currently support TLS 1.3.
Good TLS 1.3 Ciphers:
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_128_GCM_SHA256
Good TLS 1.2 Ciphers:
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
As with the salads and the treadmill, small changes can prevent a lot of big problems. We’re working with our customers every day to ensure they’re not giving attackers an easy in. We’re going to regularly share more tips, advice, and observations from our experience helping customers secure their APIs and apps in 2022. Stay tuned …
In the meantime, check out this recent blog post where we shared some tips on reducing your API attack vectors.
