Simon Bennetts is the OWASP Zed Attack Proxy (ZAP) Project Leader and a Distinguished Engineer at StackHawk, a company that uses ZAP to help users fix application security bugs before they hit production. He has talked about and demonstrated ZAP at conferences all over the world, including Blackhat, JavaOne, FOSDEM and OWASP AppSec EU, USA & AsiaPac. Prior to making the move into security he was a developer for 25 years and strongly believes that you cannot build secure web applications without knowing how to attack them.
Join ZAP’s founder, Simon Bennetts, as he discusses the past decade since starting the project and looks at the state of application security today.
Simon’s introduction and presentation topic: 10 years of Open Source ZAP and a Look Toward AppSec’s Future - 0:00
10 Years of ZAP Open Source - 0:40
Deciding to Build ZAP - 0:56
Building the world’s most used web scanner. Aims and intentions. - 4:43
Walking through The First 10 Years, starting in 2019 - 6:00
Commercialization Comes to Life w/ StackHawk -16:19
Application Security (AppSec) Moving Forward. Why hasn’t security shifted left? - 18:12
The problem is, security teams don’t usually fix security problems, because they may not have the experience or the time. If they do, developers don’t understand what the security problems are, and keep making the same mistakes. Security needs to be a property of software development. -20:47
Embedding Security in Dev Teams (see also: https://github.com/bkimminich/juice-shop) - 21:43
The Role of Automation: DAST is key (attacking your apps like malicious actors). Run DAST tools like ZAP in development. Scheduled scans overnight. Smaller increments of change → Faster finds → Faster fixes, keeping up with speed of software delivery. With automation, full pen tests can focus on deeper issues that won’t show up with automation. - 24:24
Concluding remarks and resources/contacts (www.zaproxy.org, Twitter: @psiinon) - 27:49
Share your questions and comments below!