Encryption strength verified via scan tools
Why it matters
CWE-326 (inadequate encryption strength) can exist in a system that is technically configured for AES-256 but is serving weak cipher suites due to misconfiguration — a condition only detectable by external TLS scanning, not by reading configuration files. PCI-DSS 4.0 Req-4.2 requires that the actual transmitted encryption meet the standard, not just that the configuration claims to. NIST SC-13 requires approved cryptographic module use. A TLS scan with grade C or lower indicates negotiation of weak cipher suites (RC4, 3DES, export ciphers) that can be exploited by BEAST, POODLE, or SWEET32 attacks against financial transaction traffic. Self-reported TLS configuration is not a substitute for external verification.
Severity rationale
Low because scan verification is an operational quality gate — the underlying TLS misconfiguration is the critical issue, and this check measures whether you've confirmed actual cipher strength externally.
Remediation
Run an SSLLabs scan against your production domain and document the result in docs/tls-scan.md:
# Command-line TLS check (no signup required):
curl -s "https://api.ssllabs.com/api/v3/analyze?host=yourdomain.com&publish=off&all=done" \
| jq '{grade: .endpoints[0].grade, protocol: .endpoints[0].details.protocols}'
# Or via testssl.sh (offline tool):
docker run --rm drwetter/testssl.sh yourdomain.com:443
For an A grade, your nginx or cloud load balancer needs:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
ssl_prefer_server_ciphers on;
ssl_session_tickets off;
Schedule a recurring scan (e.g., a quarterly CI job using testssl.sh) and record the grade in docs/tls-scan.md with the date — this satisfies the 180-day verification window.
Detection
- ID:
encryption-scan-verified - Severity:
low - What to look for: Count all SSL/TLS scan reports or records. Quote the actual scan tool used and the grade received. Verify at least 1 scan was conducted within the past 180 days with a grade of A or B. A grade below B does not count as pass.
- Pass criteria: At least 1 TLS scan report exists from within the past 180 days showing Grade A or B (SSLLabs or equivalent). Report the count even on pass (e.g., "1 SSLLabs scan from 2026-02-01, Grade A, TLS 1.3 with strong cipher suites").
- Fail criteria: No scan evidence (0 reports), or scan results showing Grade C or lower, or last scan more than 180 days ago.
- Skip (N/A) when: Project is in early development and not yet publicly accessible — cite the actual deployment status found.
- Detail on fail:
"0 SSL/TLS scan reports found — encryption strength not verified"or"SSLLabs grade D — 3 of 5 cipher suites are weak" - Remediation:
- Run an SSL/TLS scan:
# Using SSLLabs (online): https://www.ssllabs.com/ssltest/ # Or command-line tools: openssl s_client -connect yoursite.com:443 -tls1_3 nmap --script ssl-enum-ciphers yoursite.com - Strengthen cipher suites:
# nginx config ssl_protocols TLSv1.3 TLSv1.2; ssl_ciphers 'TLS13:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES256-GCM-SHA384'; ssl_prefer_server_ciphers on;
- Run an SSL/TLS scan:
External references
- cwe · CWE-326 — Inadequate Encryption Strength
- pci-dss:4.0 · Req-4.2 — PAN protected with strong cryptography during transmission
- nist:rev5 · SC-13 — Cryptographic Protection
Taxons
History
- 2026-04-18·v1.0.0·Initial import from finserv-encryption·automated