describe port(443) do
it { should be_listening }
its('protocol') {should eq 'tcp'}
end
that is nowhere near enough. Should be able to verify that it's actually HTTPS and not some random protocol, that secure socket does NOT support old insecure protocols like SSL2 SSL3 or TLS1, that DES CBC and RC4 are disabled if TLS1.1 was negotiated. Should verify minimum negotiated key and offered public key certificate is of acceptable length etc. Otherwise its just another tool designed to lull users into false sense of security.
And lets not forget about validation of actual application code : is there a fuzzer available for simulation of illformed inputs? What about validating that communication from application to databases is not vulnerable to SQL injection? What about verification that secret information that applications need is protected adequately ?