It quickly stood out to me that I knew less about security than I would like to, and that these vulnerabilities would be easy for other developers to introduce as well. What I needed was a security testing tool that would help developers find vulnerabilities before they were live in production. Being keen to get involved in open source, I began looking for community focused web security tools that I could contribute to, but found nothing. Enter the Zed Attack Proxy (ZAP).
ZAP Application Security Testing is Born
Finding nothing, I decided to fork an old abandoned tool called Paros Proxy, and Zed Attack Proxy (ZAP) was born. ZAP is a Dynamic Application Security Testing (DAST) tool, meaning that it runs security tests against a running version of your application. It tests your application for security vulnerabilities such as SQL Injection, Cross Site Scripting, Cross Site Request Forgery, and many more.
After continued interest in and adoption of the new ZAP scanner, I contributed it to the OWASP Foundation on October 5, 2010. ZAP is currently one of the flagship projects of OWASP.
A Decade of ZAP
After speaking at OWASP events in Dublin and the US, ZAP began to take off. Initially I was very nervous talking to security professionals as I was still very new to security. However it became clear that there was a real need for an actively maintained security tool from both security folk and developers.
I always wanted ZAP to become a community project, so I encouraged new contributors as much as I could. It wasn’t too long before both developers and security professionals started contributing and started countless features were added. I have loved watching and being a part of the growth of the tool and the surrounding community. ZAP is now the most frequently used application security testing tool in the world, and there is so much more to come!
Looking to the Future
Application security is only becoming more important. Over the decade that ZAP has been around, our business and personal lives have rapidly shifted to online applications. With our lives and businesses online and companies shipping code faster than ever before, it is critical that we as an industry continue to focus on security.
In order to ensure that developers can deliver secure applications, there are a few items I continue to be focused on: Usability and Automation. This guides much of my work and the focus of the ZAP core team.
It is widely accepted that security needs to shift left, entering the development workflow earlier. I have believed this from the beginning. In fact, I even initially gave ZAP the tagline “The security tool for developers.” At this point, the ZAP core team believes that more security professionals use ZAP than developers, but we are constantly focused on ensuring that ZAP is accessible for finding security bugs whether you are a pentester, security engineer, or software developer.
Moving forward, we will continue to focus on features that ensure that teams across the world can test for security vulnerabilities before and after an application is delivered to production.
One key feature that makes ZAP accessible to developers, and has been central to it’s widespread adoption, is it’s features around automation. With an incredibly powerful API, Dockerized images, and packaged scans, ZAP is easy to integrate into the CI/CD pipeline. One example of this is our recent announcement as the first DAST tool available on Github Actions.
With this automation in the CI/CD pipeline, application security shifts from another manual step that a team must remember to complete to an automated part of the build process. Teams that rely on ZAP automation can rest assured that security checks are happening with every build in their continuous integration pipeline.
Joining StackHawk + Commitment to Open Source Community
In light of this history and where I see ZAP headed, I’m excited to announce that I have joined the team at StackHawk as Distinguished Engineer, Assessment Technologies. I’m joining StackHawk because I share their vision for developer focused security.
StackHawk is built on ZAP and I have been impressed with their commitment to contribute back to the open source project. In my new role, I will be able to focus the majority of my time on the development of the ZAP project and the surrounding community. I’m excited to continue my work on the project I love, while also being a part of StackHawk building a world leading application security service on top of it.
Why Commercialization is Great for ZAP
ZAP is what it is today because of the community around it. This is the beauty of open source – the tooling is continuously improving as contributors commit to the project. The core contributors of ZAP have always encouraged commercial use of ZAP and have enjoyed seeing it adopted by large companies like GitLab. We will continue to support use of ZAP as part of commercial offerings.
There is a long history of open source projects growing as commercialization increases. With commercialization comes more exposure and awareness, and with this comes more individuals contributing back to the core project.
I was excited to hear about StackHawk’s use of ZAP as the underlying scanner technology and was even more excited when I learned about their commitment to seeing the open source project grow. I am confident that StackHawk’s offering, as well as other commercialization around ZAP, will improve the open source product.
Thank Yous: Mozilla, Core Contributors, and More
Last but not least, I would like to thank Mozilla for their support of my work on ZAP over the last 8 years. ZAP would not be in the great position it is today without their help and support. It really has been an honour and a privilege to work for such a great company.
I would also like to thank the other core contributors to ZAP. When I forked the project over 10 years ago, I could have never imagined what it would grow to be today. Working with the other core contributors has been a tremendous joy. I have learned so much and it has been a privilege to be building ZAP together. I look forward to many more years of working together.
Lastly, I would like to thank the ZAP and OWASP communities. I am constantly amazed at how people are using ZAP and the contributions that they make. I love what ZAP has become, and that is exclusively a result of the great community surrounding it.