Jit and ZAP: improving programming security


iStockphoto/Getty Images

jit, a young programming security company, dreams of being a leading security powerhouse. To help make those dreams a reality, Jit recently hired Simon Bennetts, the founder of the world’s most popular web application security scanner, Open Web Application Security Project (OWASP)) Zed Attack Proxy (ZAP).

Simon Bennetts, Founder of ZAP

Simon Bennetts

At Jit, Bennetts will continue to develop the open-source Zap. A dynamic application security testing (DAST) A penetration testing tool, ZAP takes a pragmatic approach to detecting security issues.

It performs simulated attacks on an application from the user side to find vulnerabilities. It functions as a “man-in-the-middle proxy”, so it intercepts and inspects messages sent between the browser and the web application. When unexpected results appear, they can be used to narrow down and identify security vulnerabilities. ZAP was already used as one of the underlying Jit parsing programs.

Now, don’t for a second think that Jit is planning to turn Zap into a commercial program in itself. Jit’s plan, as it has been from the beginning, is to provide “just-in-time security” to developers. It does this by providing an orchestration framework, a plug-in architecture that unifies top open source security tools such as Checking OWASP dependencies, npm-audit, GoSec, Gileaks, trivialand, of course, Zap in a simple and consistent developer workflow.

Also: It’s time to stop using C and C++ for new projects, says Microsoft Azure CTO

The point, said David Melamed, CTO of Jit, is that “security leaders are adding more tools, faster than their teams can implement, tune and configure them where the effectiveness of risk and expense becomes misaligned”. The solution? “Implement DevSecOps where product security is delivered as a service in the CI/CD pipelinewith a product safety plan that follows Cottage principles.”

Where Bennetts sees ZAP fitting in, he said in an interview on Thursday, is: “The challenges around modern web applications are that there are so many things you have to understand to protect them. Code security tools have been siloed too much, we need to combine them tools to give us a complete picture of what needs to be done to secure them.”

He continued, “Of course, developers can configure all these things themselves with open source. But the thing is, there are so many tools, and you have to learn about them and configure them.

“Or, with Jit, we provide an easy-to-use combo solution that lets businesses get on and go OK, these are the things we need; get them, configure them, adjust them, and run- les, to get the results with everything in one place.”

“Jit’s vision,” added Melamed, “is to provide developers with contextually relevant, just-in-time access to the knowledge and tools they need to secure the applications they build across the entire data stack. ‘applications, while accelerating the development process.’

Also: Chainguard launches Wolfi, a Linux “non-distribution”

Bennetts could have gone elsewhere. He said: “I considered working with many companies with proprietary products, but my heart belongs to open source. Fortunately, I found in Jit a brilliant team that is deeply committed to open source. and which enables developers to create secure applications.”

As for ZAP himself, Bennets said he and the rest of the developer team are hard at work on the next release. It will include a faster and improved networking stack that can work with modern protocols such as HTTP/2. Its spiders, which are used to crawl applications, will also work better with more web programs and include the ability to work with application programming interfaces (APIs). This next version will be released later this year.

Related stories:


Comments are closed.