[Owasp-leaders] Quickwins for securing applications

John Patrick Lita john.patrick.lita at owasp.org
Mon Sep 19 10:34:31 UTC 2016


Hi Simon!

Thanks! looking forward for that! i use OWASP ZAP for now as one of the
base line to analyze HTTP headers and Eliminate Positive and False positive
results for vulnerabilities and Missing Best Practices.

Thank you in advance

*John Patrick Lita *
Consultant Globe Telecom Information Security/Vulnerability Management
OWASP Manila chapter chairman
FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
*https://www.owasp.org/index.php/Manila
<https://www.owasp.org/index.php/Manila>*
<https://lists.owasp.org/mailman/listinfo/owasp-manila>

On Mon, Sep 19, 2016 at 5:36 PM, psiinon <psiinon at gmail.com> wrote:

> OK, I'll start this off :)
> Dont underestimate the value of security headers
> https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers
> Depending on your environment you might even be able to add some without
> changing your application code.
>
> To work out where you are with your 300 apps you could try the ZAP
> Baseline scan: https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan
> This just spiders the specified URL for (by default) 1 minute and then
> reports the issues it found via passive scanning. So its quick and safe.
> It uses one of the ZAP Docker images and can easily be scripted to scan as
> many URLs as you like - the scans typically take < 2 mins in total so you
> should be able to scan 300 apps in under 10 hours via one machine.
> We use it in Mozilla Cloud Services to scan all of our services every day
> and generate a simple dashboard highlighting just the issues we are
> interested in.
> Unfortunately its a private repo, but I can share the scripts to scan
> multiple services and generate the dashboard it theres any interest.
>
> Cheers,
>
> Simon
>
> On Sat, Sep 17, 2016 at 7:38 AM, John Patrick Lita <
> john.patrick.lita at owasp.org> wrote:
>
>> Good day to all leaders!
>>
>> i was very busy these days because i need to secure 300 API's,  i would
>> like to ask for your suggestions for a quick-win remediation for securing
>> an existing web application, since im working in 300 API's i cant secure
>> all of them at once, so i was thinking about on how to secure the others
>> while im testing the other applications
>> one that i am now using is the MOD_Security, i deployed Mod_Sec on our
>> affiliated web applications.
>>
>> any suggestions on how can secure this applications for a short period of
>> time, to buy me sometime while i am not done with the other applications?
>> any compliance and opensource tools? Steps and other stuffs that can
>> help?
>>
>> Thanks in advance! :)
>>
>> *John Patrick Lita *
>> Consultant Globe Telecom Information Security/Vulnerability Management
>> OWASP Manila chapter chairman
>> FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
>> *https://www.owasp.org/index.php/Manila
>> <https://www.owasp.org/index.php/Manila>*
>> <https://lists.owasp.org/mailman/listinfo/owasp-manila>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160919/bf9440b7/attachment.html>


More information about the OWASP-Leaders mailing list