It runs simulated attacks on an application from the user side to find vulnerabilities. It works as a "man-in-the-middle proxy," so it intercepts and inspects messages sent between the browser and web application. When results appear that aren't expected, these can be used to narrow down and identify security vulnerabilities. ZAP was already being used as one of the underlying Jit scanning programs.
Now don't think for one moment that Jit plans on turning Zap into a commercial program per se. Jit's plan, as it has been from the start, is to deliver "Just-In-Time Security" for developers. It does this by providing an orchestration framework, plug-in architecture that unifies the best, open-source security tools such as OWASP Dependency-Check, npm-audit, GoSec, Gitleaks, Trivy, and, of course, Zap into a simple and consistent developer workflow.
The point, said David Melamed, Jit's CTO, is that, "Security leaders adding more tools, faster than their teams can implement, tune and configure them where risk and spend efficiency becomes out of alignment." The solution? "Implement DevSecOps where product security is delivered as a service into the CI/CD pipeline, with a product security plan that follows Git principles."
Where Bennetts sees ZAP fitting in, he said in an interview Thursday, is, "The challenges around modern web applications is there is so much you need to understand to protect them. The code security tools have been too siloed, we need to combine these tools to give us the full picture of what needs to be done to secure them."
He continued, "Sure, developers can set all these things up themselves with open source. But the thing is, there are so many tools, and you must learn about them and configure them.
"Or, with Jit, we provide an easy-to-use, combined solution that makes it much easier for companies to come on board and go OK, these are the things we need; get them, set them up, tune them, and run them, to get the results with everything in one place."
"Jit's vision," Melamed added, in short, "is to provide developers with contextually relevant and just-in-time access to the knowledge and tools they need to secure the apps they build across the entire application stack, all while accelerating the development process."
Bennetts could have gone elsewhere. He confided, "I considered working with many companies with proprietary products, but my heart belongs to open source. Fortunately, I found in Jit a brilliant team who are deeply committed to open source and to empowering developers to build secure applications."
As for ZAP itself, Bennets said he and the rest of the developer team are working hard on the next release. It will include a faster and improved networking stack that can work with modern protocols such as HTTP/2. Its spiders, which are used for exploring applications, will also work better with more web programs and include the ability to work with application programming interfaces (API)s. This next version will be out later this year.