[Owasp-leaders] Quickwins for securing applications

psiinon psiinon at gmail.com
Mon Sep 19 09:36:29 UTC 2016

OK, I'll start this off :)
Dont underestimate the value of security headers
Depending on your environment you might even be able to add some without
changing your application code.

To work out where you are with your 300 apps you could try the ZAP Baseline
scan: https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan
This just spiders the specified URL for (by default) 1 minute and then
reports the issues it found via passive scanning. So its quick and safe.
It uses one of the ZAP Docker images and can easily be scripted to scan as
many URLs as you like - the scans typically take < 2 mins in total so you
should be able to scan 300 apps in under 10 hours via one machine.
We use it in Mozilla Cloud Services to scan all of our services every day
and generate a simple dashboard highlighting just the issues we are
interested in.
Unfortunately its a private repo, but I can share the scripts to scan
multiple services and generate the dashboard it theres any interest.



On Sat, Sep 17, 2016 at 7:38 AM, John Patrick Lita <
john.patrick.lita at owasp.org> wrote:

> Good day to all leaders!
> i was very busy these days because i need to secure 300 API's,  i would
> like to ask for your suggestions for a quick-win remediation for securing
> an existing web application, since im working in 300 API's i cant secure
> all of them at once, so i was thinking about on how to secure the others
> while im testing the other applications
> one that i am now using is the MOD_Security, i deployed Mod_Sec on our
> affiliated web applications.
> any suggestions on how can secure this applications for a short period of
> time, to buy me sometime while i am not done with the other applications?
> any compliance and opensource tools? Steps and other stuffs that can help?
> Thanks in advance! :)
> *John Patrick Lita *
> Consultant Globe Telecom Information Security/Vulnerability Management
> OWASP Manila chapter chairman
> FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
> *https://www.owasp.org/index.php/Manila
> <https://www.owasp.org/index.php/Manila>*
> <https://lists.owasp.org/mailman/listinfo/owasp-manila>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160919/bf34d520/attachment.html>

More information about the OWASP-Leaders mailing list