Simon Bennetts, founder and project lead of OWASP ZAP, joins the home team to talk about how he came to create the world’s most-used web app scanner, why open-source projects need long-term contributors, and how recent AI advancements could introduce new security vulnerabilities.
Simon is the founder and longtime project lead of OWASP ZAP, an integrated penetration testing tool that helps uncover vulnerabilities in web apps, including compromised authentication, sensitive data exposure, and SQL injection. ZAP is OWASP’s most active project and the world’s most popular web app scanner.
Check out other OWASP projects here or explore ZAP’s docs.
Check out our blog post on how you can mitigate the ten most-found OWASP vulnerabilities in Stack Overflow C++ snippets.
Jit, where Simon is a distinguished engineer, is a DevSecOps platform that allows high-velocity engineering teams to embed security requirements throughout the DevOps workflow. You can explore Jit’s docs here.
Today we’re shouting out the question CSP Alerts by OWASP even though CSP header is added, definitively answered by one Simon Bennetts.
Simon is on LinkedIn and Twitter.
[intro music plays]
Ben Popper This episode is brought to you by Logitech MX Master Series: an ecosystem of advanced tools designed for coders that gets you into a flow and keeps you there until the last line of code is written and compiled. Choose between fluid mechanical typing or laptop-like low-profile typing, all paired with the experience of scrolling 1,000 lines of code per second with Logitech’s best-selling mouse: MX Master 3S.
BP Hello, everybody. Welcome back to the Stack Overflow Podcast, a place to talk all things software and technology. I'm your host, Ben Popper, world's worst coder, and I’m joined as I often am by my colleague and collaborator, Ryan Thor Donovan, blog editor extraordinaire, newsletter curator, and occasional podcast host. Ryan, I make it longer every time. Every time I add more.
Ryan Donovan I know, every time. You can just make me ordinaire. I don't need the extra.
BP So what are we going to be chit-chatting about today? This is the Stack Overflow Podcast. We're a place to talk about folks sharing knowledge, open source. I think today is a very popular open source project, right?
RD We're talking about possibly the world's most popular web scanning application.
BP Oh, cool.
RD A lot of web security and that sort of thing.
BP Nice. All right, that sounds great. Well then, without further ado, we would like to welcome our guest to the program. Simon, thanks for coming on the Stack Overflow Podcast.
Simon Bennetts Thank you very much for inviting me. It's a pleasure to be here.
BP So Simon, tell folks a little bit about who you are and a little bit of your background in the world of software and technology. How did you end up creating such a popular thing and what is it you do day-to-day now?
SB Sure. So my name is Simon Bennetts. In 2010 I released a tool called Zed Attack Proxy which got adopted by OWASP, and I go back a little bit before that. I was a developer and developed lots of online services. I think I started off working on mainframe operating systems, so I'm a bit old. But in 2009, I was working for a FTSE 100 company, so that's one of the top 100 companies in the UK. I developed an online service and it was security critical. We kind of planned the security, decided everything was going fine. We got the pen testers in a couple of weeks before it was to go live, to tick the boxes and show we'd done everything right. Got them in, a couple of guys, sat them in a room, explained everything about the service. They're on our side, wanted them to understand everything. Came back an hour later just to check they were okay and they understood everything. One of them was logged into the admin console with my credentials. They'd got superuser access within an hour. It was a bit worse than that. It wasn't actually a vulnerability in my software– they'd cracked the single sign on system for the whole company in an hour. That was one of those, “Oh my God, this isn't going the way I expected.” Car crash time. And this was not a good time for me. Here I was, I'd been at the company a couple of years, been working on this stuff. This was going to prove how good it was and it’d gone horribly wrong. So yeah, big problems. So it's one of those things like, I'm a developer. I'm pretty good at developing. I can make sure things work, they're functional, they scale, they're maintainable. I obviously can't make them secure, so let's learn a bit about security. And that's kind of where I started. So I wasn't looking to create anything. I just wanted to help myself be a better developer so I could actually make things more secure.
RD Do you know the OWASP code for the vulnerability?
SB Well, that was an authentication one. I mean, there was one cross-site request forgery I'd never even heard of. That kind of cross-site scripting vulnerability which was a mistake. We knew about those, but cross-site request forgery I knew nothing about, and I was like, “It's okay. This app is an internal one. It's behind a firewall so we're fine.” And the pen test just looked at me and said, “Simon, I can show you how we can abuse this from outside the org.” It's like, “Oh, no. Okay, I just realized I've got to understand this stuff better.”
RD How did you go about doing that, educating yourself, and what came of it?
SB Well, I mean, I hadn't heard of OWASP, which was bad then, but a lot of developers still haven't heard of OWASP in this day and age, which is really worrying for us anyway. But I found out about the OWASP Top Ten, so the top ten most significant risks in web applications. Read that cover to cover, made sure I understood it. But I'm a developer. I don't really like reading stuff. I like doing things, I like playing with stuff. So I thought, “Okay, I'm going to have a plan here. One, I want to learn a bit more about security, so I'm going to download some security tools, some free open source ones, have a play with them. And I also want to make sure I actually test the stuff I'm doing. So when I find an open source security tool which I can automate, I can test run against my stuff every night, not get embarrassed in front of the pen testers again.” But I've also always had kind of sidelines, or side projects. I thought, “Well, this could be something interesting. I'm fascinated by what's happening here. If there's an open source project that I could get involved in with security, then that's all three sorted.” So I had a look around and I was really shocked. At that time, it’s 2009, there were no maintained open source web security projects out there. None. And that kind of felt wrong to me. But that wasn't really my focus. I found some old ones. So there was the OWASP tool, WebScarab, which was a bit strange. I didn't really get on with it. And then there was a tool called Paros Proxy, which I quite liked. It was quite simple and straightforward, so I started playing around with that. It was a desktop tool, desktop UI, written in Java. It just so happens I was a Java dev. A couple of things annoyed me about it. There was one little thing where one of the right click options was either insights tree and not in the history or vice versa, and I wanted it in both. So I'm a Java dev, I pulled it into Eclipse, found the code, copied it, and it worked. And I still remember doing that and thinking, “Ooh, this is fun. I can do something with this.” But anyway, I kept on playing around with this trying to teach myself, but I also thought that really to understand things, one, coding them, but two, explain them to other people. And I knew the people, the developers and functional testers where I worked, didn't know anything about security either so I started giving talks. Simpler was top 10 ones. And the first question everyone asked is, “What tool should we use?” Okay, so I went back, had another look. What tool can I recommend? And the closest tool I could find was still Paros. Or actually it wasn't, it was a version of Paros I was hacking around with on my desktop, because that was being maintained in a way by me. So I thought, “I've got to try this. It's got to be worth a try.” So I forked it, called it ZAP. I created a whole set of new accounts. I didn't want to associate it with me just in case I got sued or got laughed at by the security community or something, and released it and then told them, “Oh, I've just seen this called ZAP. Have a look at it, have a play with it.”
BP Right, asking for a friend.
SB And they came back and actually accepted it. And I try and track everything and I remember the day OWASP accepted it it jumped to 400 downloads in one day. I was like, “Oh, wow,” and it just grew from there.
BP So have you since then taken some credit? I think I saw your name cited on the Wikipedia. And what role do you play as sort of originator, lead maintainer, casual contributor? What's your relationship with it now?
SB So I am one of the project leaders, so I'm the founder and one of the project leaders. We have a team of four core team members. We have an extended team, but I am sponsored by Jit, the company I work for, to spend most of my time working on ZAP.
RD So what are the sort of security vulnerabilities that this will catch? What are the biggest ones?
SB Oh, we have a list on the website. There are hundreds. ZAP will detect hundreds of vulnerabilities. I mean, injection vulnerabilities tend to be some of the easier ones. When you talk about web vulnerabilities, there are certain ones which are easy to automate and some which are kind of really hard and it's much easier for an experienced pen tester to find. And certainly I don’t think ZAP is the be-all and end-all. I wouldn't say if you've got a security-critical application, run ZAP and then you're fine. You need a blended approach, and if you've got some services you really care about, you probably want to get professional pen testers in regularly. You want to have a bug bounty. There's a whole range of things. But if you just get the pen testers in without doing any testing yourself, they're going to find some really easy things and be wasting your time, really. You'll be paying them to turn the handle really. So Mozilla sponsored me to work on ZAP before Jit did, and there I was kind of responsible for web services behind Firefox. And we would get a couple of pen tests done a year on particular services and it was great getting the pen testers in and after a few days seeing them sweat because they couldn't find anything. Then they would really focus and some of them found some great vulnerabilities but they had to try hard. We want to make sure that pen testers earn their keep.
RD Yeah. I mean, the security researchers definitely do their work. I've read about a couple sort of amazing security vulnerabilities, like the row hammer one. It's a pretty good one. I read about another one where on a hypervisor you could fake an IO port, and I think you could do it through a video file and just open up vulnerabilities and I was like, “How does that work?”
SB Yeah, the edge cases are crazy. And for those kinds of things, the really new research, you need people involved. Okay, computers are getting clever and that's not going to find the really new stuff. There's always going to be fun things for the human pen testers to find and abuse, but the more we can automate– there aren't enough pen testers. There aren't enough security people. We need to automate more and we need to get the best out of the security people we've got.
BP Right. Yeah, if your training data ends in late 2021, you're probably missing a bunch of the new vulnerabilities that have emerged. So does the open source nature of the project lend itself to being able to keep pace with the development of new edge cases or zero-days and things like that?
SB It's tricky. I was hoping that we would be able to get lots and lots of contributors, and we've had hundreds of contributors, but we don't have many long-term ones. And it's really long-term contributors that really benefit the open source projects in general. So we want more people to get involved, we've always been a community focused project. But it's tricky and security is hard and I think a lot of developers are nervous about contributing to a security project. They're afraid that they don't know enough about it. It's a great way to learn, by the way, and security is a great career to get into. Often you need qualifications, but I've got a list of companies who've said, “If you know anyone who understands ZAP code base, we’ll employ them.” So I can get people into the security industry. They just need to get involved and volunteer for a bit.
BP Oh, this is good. All right, well, at the end we'll give a shout out. We'll put some links in the show notes. But if you're listening and you want a job in security, apparently Simon has some waiting for you.
SB Oh, absolutely.
BP So you mentioned ChatGPT and some of the new things that are roving around the internet. Autonomous agents is all the hype this week of people asking an AI to do something and it spins up a bunch of other agents to do it. But from your perspective, what have been the most interesting/maybe terrifying trends to emerge in the last year? What should people be thinking about when it comes to web security? And where do you think tools like the ones you've created are going to be headed in terms of helping people the most?
SB Oh, good question. So I don't tend to look at the bleeding edge research– that's very much on the manual side. So I'm focusing myself much more on the automation, and it's kind of how we can cope with things at the moment because web applications right now are a complete and utter pain. The move towards more functionality in the front end makes things really difficult. Just things like how to explore an application, you can't use a traditional crawler. You really have to launch a browser and control that and that can be a little bit challenging. Then you have to authenticate. Authenticating to applications is a complete pain. We've got low level support for all these things, but then you have to have somebody who really understands it to configure ZAP to be able to authenticate. Right now I'm trying to automate that. I'm trying to get ZAP to actually recognize common patterns and handle all of that side, but it's really hard. But then, I think web development seems to be getting more and more complex and more frameworks and tools getting involved. And the more things, the more complexity, the more chance of vulnerabilities, the more cracks, the more holes where things can go horribly wrong. Keeping as simple as possible is always best from a security point of view, but there are competing requirements on developers and security is one of the lower ones, unfortunately.
RD I mean the framework sort of shortcut lets you do a lot of cool stuff, but you're right, it does open up a lot more surfaces. Are there specific vulnerabilities that you think frameworks and additional complexity opens up that people should look out for?
SB In some ways, a lot of frameworks are making things better, particularly with encoding outputs. So things like cross-site scripting are trickier if you actually follow what the frameworks recommend. Most modern frameworks now actually have a good security posture as long as you do what they recommend. So following that I think generally makes things better, but there are always edge cases and the more that frameworks do for you, the less in some ways you have to think about security. And that then becomes a problem if you think, “Oh, the framework will handle everything,” and it doesn't. Thinking that the framework will do everything for you is a big danger.
[music plays]
BP Usually this time of the show, we shout out the winner of a badge, but today I have a very special question shout out. Asked two months ago, “CSP alerts by OWASP even though CSP header is added.” Someone wanted to know why they were getting this alert. They thought they had it right. And somebody named Simon Bennetts came and left an answer here, “You should always look at the ZAP alert details.” And then in the comments it says here, “Ah, you made me read the alert details carefully. Now I've figured it out.” So thanks for sharing a little knowledge here on Stack Overflow, and I upvoted your answer, so you've gotten some extra points now, yes.
SB People ask questions in so many places, and Stack Overflow is one of the key places. There's a ZAP tag. I get alerts on that to check it all the time and it's important and that's such a key resource people use. I’ve got to go there and make sure I can help people out.
BP Great. Well, thanks for contributing to the platform.
RD Stack Overflow is unofficial support for another software tool.
SB Definitely.
BP We are the world's FAQ troubleshooting forum. All right everybody, as always, thank you for listening. I am Ben Popper. I'm the Director of Content here at Stack Overflow. You can always find me on Twitter @BenPopper. If you have questions or suggestions for us, shoot us an email, podcast@stackoverflow.com. And if you like the show, leave us a rating and a review. It really helps.
RD I'm Ryan Donovan. I edit the blog here at Stack Overflow. You can find it at stackoverflow.blog. And if you want to find me on Twitter, I'm @RThorDonovan.
SB I'm Simon Bennetts. I'm the OWASP ZAP founder and one of the project leads. On social media, I'm @Psiinon. You should find me on most of those places. And if you'd like to get involved in working on ZAP or understanding more about ZAP, just get in touch, and a big shout out to Jit.io for supporting my work on ZAP.
BP All right, everybody. Thanks for listening and we will talk to you soon.
[outro music plays]