Jit, a startup programming security company, dreams of becoming a top security force. To make those dreams a reality, Jit recently hired Simon Bennetts, founder of the world’s most popular web application security scanner, Open Web Application Security Project (OWASP) Zed Attack Proxy (ZAP).
At Jit, Bennetts will continue to develop the open source Zap. As a dynamic application security testing (DAST) penetration testing tool, ZAP takes a pragmatic approach to finding security issues.
It runs simulated attacks on an application from the user side to find vulnerabilities. It acts as a “man-in-the-middle” proxy, meaning it intercepts and inspects messages sent between the browser and the web application. If unexpected results are shown, they can be used to isolate and identify security vulnerabilities. ZAP was already used as one of the underlying jit scan programs.
Now don’t think for a moment that Jit plans to make Zap a commercial program per se. Jit’s plan, as it was from the beginning, is to provide “just-in-time security” for developers. It does this by providing an orchestration framework, a plugin architecture that combines the best of open source security tools like OWASP Dependency-Check, npm-audit, GoSec, Gitleaks, Trivy and of course Zap in a simple and consistent developer- workflow.
Likewise: It’s time to stop using C and C++ for new projects, says Microsoft Azure CTO
The point, said David Melamed, Jit’s CTO, is that “when risk and spend efficiencies are no longer aligned, security leaders add more tools faster than their teams can implement, tune, and configure them.” The solution? “Implement DevSecOps, where product security is delivered as a service into the CI/CD pipeline, with a product security plan that follows Git principles.”
Where Bennetts sees ZAP fitting, he said in an interview Thursday, “The challenges surrounding modern web applications are that there is so much to understand to protect them. The code security tools were too isolated, we need to combine these tools to give us a complete picture of what needs to be done to secure them.”
He continued, “Sure, developers can set up all these things themselves with open source. But the thing is, there are so many tools out there and you need to get familiar with them and configure them.
“Or with Jit, we offer an easy-to-use, combo solution that makes it much easier for companies to get on board and do everything well, these are the things we need: procure, set up, tweak, and run to get the results with everything in one place.”
“Jit’s vision,” Melamed added briefly, “is to provide developers with contextually relevant and just-in-time access to the knowledge and tools they need to secure the apps they build across the entire application stack.” while accelerating the development process.”
Likewise: Chainguard releases Wolfi, a Linux ‘non-distribution’
Bennetts could have gone elsewhere. He said, “I’ve considered working with many companies with proprietary products, but my heart is with open source.
As for ZAP itself, Bennets said he and the rest of the development team are hard at work on the next version. It will feature a faster and improved network stack capable of working with modern protocols like HTTP/2. Its spiders, used to explore applications, also work better with more web programs and include the ability to work with application programming interfaces (API). This next version will be released later this year.