Jit, a startup programming security company, dreams of becoming a top security force. To make those dreams come true, Jit recently hired Simon Bennetts, the founder of the world’s most popular web app security scanner, Open Web Application Security Project (OWASP) Zed Attack Proxy (ZAP).
At Jit, Bennetts will further develop the open source Zap. ZAP is a DAST (Dynamic Application Security Testing) penetration testing tool and takes a pragmatic approach to finding security vulnerabilities.
It performs simulated attacks on an application from the user side to find vulnerabilities. It works as a “man-in-the-middle proxy”, so it intercepts and inspects messages sent between the browser and the web application. When results that are not expected appear, they can be used to mitigate and identify security vulnerabilities. ZAP was already used as one of the underlying Jit scan tools.
Don’t think for a moment that Jit plans to turn Zap into a commercial program in its own right. Jit’s plan, as it has been from the beginning, is to provide “Just-In-Time Security” for developers. It does this by providing an orchestration framework, plug-in architecture that unites the best, open-source security tools such as OWASP Dependency-Check, npm-audit, GoSec, Gitleaks, Trivy and, of course, Zap in a simple and consistent workflow for developers.
Also: It’s time to stop using C and C++ for new projects, says Microsoft Azure CTO
The point, said David Melamed, Jit’s CTO, is that “Security leaders are adding more tools, faster than their teams can deploy, align and configure, where risk and spend efficiencies no longer align.” The solution? “Deploy DevSecOps where product security is delivered as a service in the CI/CD pipeline, with a product security plan that follows Git principles.”
What Bennetts sees ZAP fitting in, he said in an interview Thursday, is: “The challenges around modern web applications are that there is so much you need to understand to protect them. The code protection tools are too isolated, we need to combine these tools to give us a give a full picture of what needs to be done to secure them.”
He continued: “Of course developers can set up all these things themselves with open source. But the thing is, there are so many tools out there and you have to learn about them and configure them.
“Or, with Jit, we provide an easy-to-use, unified solution that makes it much easier for businesses to get on board and go OK, these are the things we need; grab them, set them up, tune them and run them, to get the results with everything in one place.”
“Jit’s vision,” Melamed added briefly, “is to provide developers with contextually relevant and just-in-time access to the knowledge and tools they need to build the apps they build across the entire application stack. secure, while accelerating the development process.”
Also: Chainguard releases Wolfi, a Linux ‘distribution’
Bennetts could have gone elsewhere. He confided: “I have considered working with many companies with proprietary products, but my heart is in open source. Fortunately, in Jit I found a brilliant team that is strongly committed to open source and to enable developers to secure secure build applications.”
As for ZAP itself, Bennets said he and the rest of the dev team are working hard on the next release. It will include a faster and improved network stack that can work with modern protocols such as HTTP/2. The spiders, which are used for application exploration, also work better with more web programs and provide the ability to work with APIs (Application Programming Interfaces). This next version will be released later this year.