Describe the configuration of TLS/SSL within the CloudBees environment.
There are many technical constraints placed on our infrastructure to ensure that services are accessible by a variety of clients with varying capabilities
- Modern browsers - poor protocols are locked out
- Legacy browsers - poor protocols are chosen by default
- Maven / JDK clients - limited CA updates
- Non-SNI aware clients - limited compatibility with virtual hosting of SSL services
As such, it is not always possible to have a “perfect” configuration across all endpoints within CloudBees.
However to ensure that the CloudBees security configuration is optimal (under the previously listed constraints), the CloudBees InfoSec team monitors all externally facing endpoints, and many internally facing endpoints with a variety of tools (both internal and external).
One of these tools is the Qualys SSL Scanner - https://www.ssllabs.com/ssltest/
CloudBees InfoSec uses Jenkins to automate the regular scanning of endpoints. These results are compared against our risk mitigation analysis (i.e. where non-optimal results are found - have we identified and assessed the risk previously). New issues are notified to the InfoSec and Operations teams for review, analysis and rectification where appropriate.
When new attack vectors are discovered (e.g. HEARTBLEED / DROWN / FREAK), we confirm the scanning tools are able to detect these problems and then perform our review, analysis and rectification process on any endpoints that are discovered to be non-compliant.