Jit and ZAP: Improving programming security
Jit, a startup programming security company, dreams of being a top security power. To help make those dreams a reality, Jit recently hired Simon Bennetts, the founder of the world's most popular web app security scanner, Open Web Application Security Project (OWASP) Zed Attack Proxy (ZAP).
At Jit, Bennetts will continue to develop the open-source Zap. A dynamic application security testing (DAST) penetration testing tool, ZAP takes a pragmatic approach to finding security problems.
It runs simulated attacks on an application from the user side to find vulnerabilities. It works as a "man-in-the-middle proxy," so it intercepts and inspects messages sent between the browser and web application. When results appear that aren't expected, these can be used to narrow down and identify security vulnerabilities. ZAP was already being used as one of the underlying Jit scanning programs.
Now don't think for one moment that Jit plans on turning Zap into a commercial program per se. Jit's plan, as it has been from the start, is to deliver "Just-In-Time Security" for developers. It does this by providing an orchestration framework, plug-in architecture that unifies the best, open-source security tools such as OWASP Dependency-Check, npm-audit, GoSec, Gitleaks, Trivy, and, of course, Zap into a simple and consistent developer workflow.
