As per discussion here customers will start asking (in fact, have started asking) for information about the endpoints that are exposed by our products.
We should have a central repository of information about this somewhere that we can keep up to date and refer customers to, when asking questions like these.
Some information that will be interesting here is:
A list of endpoints
Can they be secured with TLS
Record the support TLS versions (per Java version?) and cipher suite
Document how to change the TLS versions and ciphers. Highlight where this is not possible.
If insecure ciphers are available add default configuration to allow list strong ciphers only
Do the same for insecure TLS versions
@dervoeti mentioned CryptoLyzer, a tool that analyzes endpoints and generates reports in a format that is supported by SecObserve, which is quite a nice benefit.
As per discussion here customers will start asking (in fact, have started asking) for information about the endpoints that are exposed by our products.
We should have a central repository of information about this somewhere that we can keep up to date and refer customers to, when asking questions like these.
Some information that will be interesting here is:
@dervoeti mentioned CryptoLyzer, a tool that analyzes endpoints and generates reports in a format that is supported by SecObserve, which is quite a nice benefit.