Introduction
In May we’ve reacted quickly to agreements on certificate validity periods by refining the risks we raise against certificates with long validity periods, and we’ve added a brand new asset management page for services.
In this month’s blog, we cover the following:
- Changes to risks relating to TLS certificate validity periods
- A new Asset Management page for Services
- New in-app navigation options
TLS certificate validity period
In May (the 13th to be precise), we updated risks relating to TLS certificate validity periods. It was previously anticipated that a 90 day validity period, recommended by Google, was likely to come into force. To allow organisations to prepare for this, Hexiosec ASM was highlighting certificates with a period longer than this. Based on recent agreements on this topic, the results found by Hexiosec ASM have now been updated to reflect these agreements, and help you resolve certificate risks.
The CA/Browser forum have agreed a plan to reduce the maximum lifespan of certificates in steps starting from 15 March 2026. The forum has issued updated requirements for the issuance and management of publicly-trusted certificates. The aim of this is to improve online security by encouraging more frequent certificate renewals. The full schedule is as follows:
- Until 15 March 2026, the maximum is 398 days.
- From 15 March 2026, the maximum is 200 days.
- From 15 March 2027, the maximum is 100 days.
- From 15 March 2029, the maximum is 47 days.
As a consequnce we have removed the previous 90 day risk, and added a new risk for certificates with a validity period of over 398 days, reflecting the current recommendation. If you have a scan, which has run since the 13th May, the results will reflect this change.
If the scan also ran prior to the 13th May, as with all updates to Hexiosec ASM checks, we mark this on the risk charts. This helps you understand if changes in your results are due to this update.
Going forward, we will update the risks found by Hexiosec ASM in line with the schedule above, so you can expect similar updates to our risks until 2029.
We are also planning to include a dedicated TLS certificates page in Hexiosec ASM, which will allow you to filter for certificates of differing validity periods, and allowing you to plan ahead for the changes.
You can read more about TLS certificate risks in our knowledge base .
A new Services page
We’ve added a new Asset Management page, for services, which are the open ports found on domains and IP addresses. The service information has always been available in Hexiosec ASM, from the Explore pages or listed under the Domains and IP addresses pages, but Hexiosec ASM now has a dedicated page.
The Services page allows you to easily search and filter on assets hosting certain services, for example you could filter the Services page to FTP and see all IPs with an open FTP port.
From each row on the Services page, we’ve added the new “Go to…” option to navigate to the explore page for a service, and in the case of a web protocol (e.g. HTTPS) to the Web Presence page for that specific service.
The Services page includes other filters, such as certificates to filter on all services hosting the selected certificates, or components for all services using selected libraries or web components, e.g. PHP 7.2.34.
The new Service page follows our existing look and feel, so should be immediately familiar to users of Hexiosec ASM and will give you another helpful way to interact with your results.
Where is it?
You’ll find the new Services page under the Asset Management sidebar item.
Or you can also access it from the Overview page’s Services widget, this will take you to a view filtered for the service type you selected, e.g. port 21 (FTP).
More “Go to…” navigation options
Last month’s update (April 2025) introduced a new feature to link from the scan Changes page to the Risks or Actions pages, filtered for the relevant change. As promised, we’ve expanded this feature and added similar navigation links to other pages in Hexiosec ASM, read on…
Changes page navigations
If a new risk relates to a web page, the navigation link on the Changes page will now include a link to the Web Presence page pre-filtered for the website with the risk. This makes it simple for you to navigate assets and website impacted by a risk.
Risks page navigations
The Risks page already included the “Go to…” button to navigate to related Actions. As above for website related risks, this button now includes an additional item to navigate to the Web Presence page pre-filtered for the websites impacted by the selected risk.
Services page navigations
Finally, the new Services page also includes the “Go to…” option, see above for more details!
Coming soon
We’re working on features to bring new checks to Hexiosec ASM and ways to help you prioritise risks, which include:
- TLS version checks: Add TLS version checks to our existing TLS checks, including new risks if old versions of TLS are offered, e.g. TLS 1.0.
- EPSS visualisations: To complement our CVE and KEV checks, we’re adding EPSS visualisations, to allow you to search and filter discovered CVEs based on their exploitability.
Related Posts
