Gather information about endpoints provided by our products and evaluate (and document) security for these

[soenkeliebau]

As per discussion here customers will start asking (in fact, have started asking) for information about the endpoints that are exposed by our products.

We should have a central repository of information about this somewhere that we can keep up to date and refer customers to, when asking questions like these.

Some information that will be interesting here is:

• A list of endpoints
• Can they be secured with TLS
• Record the support TLS versions (per Java version?) and cipher suite
• Document how to change the TLS versions and ciphers. Highlight where this is not possible.
• If insecure ciphers are available add default configuration to allow list strong ciphers only
• Do the same for insecure TLS versions

@dervoeti mentioned CryptoLyzer, a tool that analyzes endpoints and generates reports in a format that is supported by SecObserve, which is quite a nice benefit.