Jit, a start-up programming security company, dreams of becoming a leading security powerhouse. To help make those dreams come true, Jit recently hired Simon Bennetts, founder of the world’s most popular web application security scanner, Open the Web Application Security Project (OWASP) Zed Attack Proxy (ZAP).
At Jit, Bennetts will continue to develop open source Zap. One dynamic application security testing (DAST) penetration testing tool, ZAP takes a pragmatic approach to finding security issues.
It runs simulated attacks on an application from the user’s side to find vulnerabilities. It acts as a “man-in-the-middle proxy”, so it intercepts and inspects messages sent between the browser and the web application. When results turn out to be unexpected, they can be used to narrow and identify security holes. ZAP was used as one of the basic Jit scanning programs.
Now don’t think that Jit plans to turn Zap into a commercial program. Jit’s plan, as it has been since the beginning, is to provide “Just-In-Time Security” to developers. It does this by providing a orchestration framework, a plug-in architecture that unifies the best of open source security tools, such as Check OWASP . dependency, npm-audit, GoSec, Gitleaks, Trivyand of course, Zap into a simple and consistent developer workflow.
Also: It’s time to stop using C and C++ for new projects, says Microsoft Azure CTO
David Melamed, CTO of Jit, said the bottom line is that “Security leaders add more tools, faster than their teams can deploy, adapt, and configure them as risks and efficiencies come into play. expenditure becomes inappropriate.” Solution? “Perform DevSecOps where product security is delivered as a service into CI/CD . Pipelinewith a product security plan to follow Git Rule.”
Bennetts sees where ZAP fits in, he said in an interview on Thursday, as, “The challenges around modern web applications are that there’s a lot you need to understand to protect them. tools to give us the full picture of what needs to be done to protect them.”
He continued, “Certainly, developers can set up all of this on their own using open source. But the point is there are a lot of tools, and you have to learn about them and configure them.
“Or, with Jit, we offer a hybrid, easy-to-use solution that makes it much easier for companies to join and operate, these are the things we need; take them, set them up, tune in them and run them, to get results with everything in one place.”
In a nutshell, “Jit’s vision,” added Melamed, “is to give developers timely and contextually relevant access to the knowledge and tools they need to secure applications. that they build across the entire application stack, while accelerating the development process.”
Also: Chainguard Releases Wolfi, a ‘No Distribution’ Linux
Bennetts could have gone elsewhere. He confided: “I have considered working with many companies with proprietary products, but my heart belongs to open source. Fortunately, I found in Jit a great team who are always committed. deeply connected to open source and empowers developers to build secure applications.”
As for ZAP itself, Bennets said he and the rest of the development team are working hard on the next release. It will include an improved and faster network stack that can work with modern protocols like HTTP / 2. Its crawlers, used to discover applications, will also work better with more web programs and include the ability to work with application programming interfaces (APIs). This next version will be out later this year.
But related story:
