If using a web application firewall (WAF), disclosing the IP addresses of web servers under an organisation’s control (referred to as origin servers) is avoided and access to the origin servers is restricted to the WAF and authorised management networks.
Ensure that all server communications, beyond just HTTP, are securely encrypted. This includes connections for monitoring systems, management tools, remote access (SSH), middleware, databases, mainframes, and any connections to external or partner systems. These connections should be protected from interception to prevent vulnerabilities, ensuring that internal communications are as secure as external ones.
V9.2.1 Trusted TLS Certificates Use trusted TLS certificates. For self-signed or internal certificates, only trust specific internal CAs and approved certificates, rejecting all others. V9.2.2 Encrypted Communications Encrypt all inbound and outbound communications (management, monitoring, APIs, databases, cloud, etc.) using TLS. No fallback to insecure protocols. V9.2.3 Authentication for Encrypted Connections Authenticate encrypted connections to external systems, especially for sensitive data or critical functions. V9.2.4 Certificate Revocation Enable and configure OCSP Stapling for real-time certificate revocation checking. V9.2.5 Logging TLS Failures Log backend TLS connection failures to monitor and detect potential issues. By enforcing trusted certificates, TLS encryption, authentication, OCSP Stapling, and logging failures, server communications remain secure and protected.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-01-08-01-01-01 | Use trusted TLS certificates | Ensure that all TLS certificates are trusted. For self-signed or internal certificates, only trust certificates from specific internal Certificate Authorities (CAs) and approved certificates, rejecting all others. | Development | Security Engineers, IT Operations |
| SSS-01-08-01-01-02 | Encrypt all communications using TLS | Encrypt all inbound and outbound communications, including management, monitoring, APIs, databases, and cloud communications, using TLS. Ensure that there is no fallback to insecure protocols like HTTP or FTP. | Development | Security Engineers, IT Operations |
| SSS-01-08-01-01-03 | Authenticate encrypted connections | Authenticate all encrypted connections to external systems, particularly for sensitive data or critical functions, to ensure data integrity and prevent unauthorized access. | Development | Security Engineers, IT Operations |
| SSS-01-08-01-01-04 | Enable OCSP stapling for certificate revocation | Enable and configure Online Certificate Status Protocol (OCSP) Stapling to allow real-time certificate revocation checking. This ensures that revoked certificates cannot be used by attackers. | Deployment | Security Engineers, IT Operations |
| SSS-01-08-01-01-05 | Log TLS failures | Log all backend TLS connection failures to monitor and detect potential issues, such as expired certificates, incorrect configurations, or malicious attempts to exploit vulnerabilities in the TLS protocol. | Post-deployment | Security Engineers, IT Operations |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1424) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |