ZAP is an open source tool for finding vulnerabilities in web applications. It can be used as a manual pen testing tool or can be automated. Simon Bennetts, Founder of OWASP Zed Attack Proxy (ZAP), has joined the Jit team, which will in a way sponsor his work on the project, ensuring the sustainability and health of the project.

In this episode of TFiR Let’s Talk, Swapnil Bhartiya sits down with Bennetts to discuss the ZAP project. He explains the capabilities of the tool and how it will help the whole community. Bennetts goes into details about the open source tool and how it is helping developers navigate the challenges of security.

Key highlights from the video interview are:

• ZAP is an open source tool for finding vulnerabilities in web applications. It can be used as a manual pen testing tool or can be automated. Bennetts explains it is known as a Dynamic Application Security Testing (DAST) tool, which attacks your application in the same way as a malicious hacker would. Bennetts discusses his motivations for creating the tool and how people can get engaged in the community.
• With the shift-left movement more is being placed into the developers’ pipeline and their concerns extend across functionality, performance, support, maintenance, and security. Bennetts says that as a developer, he found that he did not know enough about security and this lack of understanding could leave code vulnerable.
• There are so many areas to consider for security yet ZAP cannot solve all of your problems. Bennetts explains that it cannot understand your source code or dependencies. It solely understands the running application. He discusses how they make ZAP configurable to handle different options and easy to use since using all the different tools can be overwhelming for developers.
• ZAP is a point solution which looks at the running application and Jit allows you to embed security controls across DevOps workflow, enabling developers to test the security from the code to the runtime. Bennetts discusses why it made sense to join together with Jit and why the solution is needed.
• The Jit platform is a DevSecOps platform, which runs a range of security tools so that developers do not need to understand the intricacies of each tool. Bennetts explains how Jit’s platform can help developers.
• Bennetts discusses the common focus of Jit and ZAP to help find security issues as early as possible through the development lifecycle by involving developers. He explains why this is key. He shares what the partnership with Jit has meant for him and where his current focus lies.
• Jit is sponsoring Bennetts’ work on ZAP so that his key focus can be on realizing the potential of ZAP, which in turn benefits Jit and the companies who use it.
• Bennetts is keen to improve the relationship between companies that use open source and open source projects, and Jit is supportive of open source too. Bennetts explains that this is a particular area where he feels he can champion himself at Jit.
• Bennetts believes security has been more of a management problem saying that if management of a company did not give security the right priority, developers would not either. However, he feels that nowadays it is easier for security voices to get their voices here. He explains that in small organizations, it is difficult to have people dedicated to security yet it is an important aspect and how it can scale across businesses of all sizes.
• With a potential economic downturn, security companies with expensive commercial tools will likely be impacted. However, Bennetts feels that open source projects like ZAP are competitive with them and can be considerably cheaper than other traditional security companies. He discusses how most companies are likely to focus on getting the most value looking for the most cost effective tools.

Connect with Simon Bennetts (LinkedIn)
Learn more about ZAP Project (Twitter)
Learn more about Jit (Twitter)