►
Description
Keith Hoodlet, Field Security Architect, chats with Simon Bennetts about OWASP Zed Attack Proxy (ZAP) the world's most used open source web application security tool.
0:00 - Start & Intros
3:14 - What inspired you to work on the ZAP project? Necessity as the mother of invention, the OWASP Top 10, and embarking on a security journey without any security training
10:02 - ZAP's progress over time
12:06 - What security challenges do you see in the near future?
14:09 - Open source as a career springboard
16:44 - The ZAP HUD & a demo
26:51 - The value of a graphical interface for security testing
28:30 - Automation within ZAP itself vs the API
32:18 - ZAP reporting
35:11 - Stackhawk , ZAP and playing to your strengths
39:25 - ZapCon
42:26 - Other open source security resources
https://www.stackhawk.com/blog/guide-to-zap-application-security-testing/
https://www.zaproxy.org/
https://owasp.org/www-project-zap/
A
B
B
B
I'm
super
super
excited
to
have
this
conversation
with
you.
If
you're
joining
us
and
you've
not
heard
of
zap
you're
gonna,
learn
about
what
zap
is
today
and
the
men
who
actually
created
this
amazing
tool
and
then,
if
you
are
actually
already
a
user
of
zap
or
have
been
thinking
about
dialing
into
application
testing.
This
is
a
fantastic
memory,
so
you're
in
the
right
place.
But
before
we
get
started
for
those
of
you
who
never
met
simon,
I
have
to
introduce
you
so
simon.
I
have
to
praise
and
sing
all
your
accolades.
B
He's
talked
about
zap
he's
demonstrated
stuff
at
conferences
all
over
the
world,
including
back
black
hats,
java
1
foster,
wasp
asia
pack
prior
to
moving
into
security,
and
this
is
why
I
think,
there's
a
lot
of
you
who
are
watching
who
are
big
fans
of
siren,
because
he
was
also
a
developer,
and
this
is
how
he
got
started
so
before
making
this
move
into
security.
He
was
a
developer
for
25
years.
B
He
believes
in
you
cannot
build
secure
web
applications
without
knowing
how
to
attack
them,
and
so
this
is
just
amazing
to
have
you
here
today
and
we
just
dive
right
in
what
we're
going
to
have
today
is
a
bit
of
a
conversation.
Maybe
we
can
twist
simon's
arm
and
get
him
to
give
us
a
tiny
demo,
maybe
and
then
yeah
go
from
there,
but
let's
learn
together
so
keith.
If
you
don't
mind,
just
go
ahead
and
get
started
with
the
questions.
That'd
be
cool.
C
Yeah
yeah,
so
once
again
simon,
I
just
want
to
say
on
behalf
of
all
you
know,
starting
bug,
bounty
hunters
everywhere.
Thank
you
for
all
the
work
that
you
do
on
z
attack
proxy.
It's
it's
the
way
that
a
lot
of
people
get
into
the
application
security
space,
and
so
thank
you
to
kick
things
off,
though
I
wanted
to
ask
what
inspired
you
to
work
on
the
zap
project.
D
D
Known
how
it
was
going
when
you
know
we
got
them
aboard
two
guys
great
guys
and
I
treated
them
as
part
of
the
team.
You
know
I
wanted
them
to
know
everything
about
the
application,
because
they
were
there
to
find
out
everything
else.
We
put
them
and
put
them
in
a
room,
and
I
just
popped
back
in
after
an
hour
to
see
how
things
were
going.
D
C
D
Actually,
the
report
wasn't
that
bad
I've
delivered
now
deliver
much
worse
reports
to
people,
but
at
the
time
it
felt
awful
you
know
here
was
we
were
we
thought
we
were
doing
everything
right
and
they
found
vulnerabilities.
I've
never
even
heard
of
cross-site
request.
Forgery
didn't
know
anything
about
it
and-
and
you
know
they
found
a
silly
cross-site
scripting
vulnerability
that
shouldn't
shouldn't
have
got
through.
So
I
was
a
very
low
place.
I
was
not
happy
at
all,
so
you
know
I'm
the
developer.
D
You
know
I
make
sure
that
my
applications
perform.
You
know
they
do
what
they're
supposed
to
do
they're
robust
they
need
to
be
secure.
I
need
to
learn
about
security.
I
hadn't
heard
of
oh
wasp.
The
pen
testers
told
me
about
oh
wasp,
okay,
great
well,
I
haven't
heard
of
it.
I
don't
know,
but
you
know
well,
maybe
because
I've
never
had
any
security
training
for
a
start.
You
know.
E
D
Just
didn't
happen
at
those
time,
so
looked
at
almost
found
the
os
top
10
read
all
about
it,
but
I'm
I'm
a
developer.
I
learn
best
by
playing
around
with
things.
So
it's
like
I
want
to
play
with
stuff.
I
want
to
download
some
tools
and
have
a
play.
So
I
looked
out
for
open
source
security
tools
so
that
one
can
help
me
learn
about
security
and
two.
D
D
I
I
was
kind
of
surprised
to
find
that
there
weren't
at
that
time
there
weren't
any
maintained
open
source
web
security
tools.
None
xero.
This
kind
of
surprised
me
and
I
just
felt
it
was
wrong.
There
was
I
was
had
web
scarab.
I
didn't
really
get
on
with
web
scarab.
It
just
didn't,
didn't
really
work.
For
me
there
was
a
tool
called
paros.
I
quite
liked
paros.
It
was
straightforward.
D
I
could
see
what
was
going
on
played
with
stuff.
It
was
quite
out
of
date,
wasn't
maintained,
but
I
liked
it
played
with
it,
but
I
kind
of
so
I
started
learning
about
it
myself.
Actually,
there
was
a
couple
of
things
that
annoyed
me.
There
was
one
right
click
option
on
one
window
on
the
site's
tree
or
the
history.
Where
it
you
know
you
could
open
the
manual
request,
editor
and
not
the
other
one.
D
Wait
a
minute
it's
written
in
java,
pulling
into
eclipse
messing
around.
Oh,
this
is
cool.
I
could
do
something
with
this
and
I
still
remember
that
point,
but
me
time
I
was
kind
of
I
started,
giving
talks
to
people
at
work,
other
developers
and
qa
functional
testers
to
tell
them
about
the
deals
top
ten.
They
didn't
know
about
it.
I
didn't
know
about
it
before
I
wanted
to.
D
D
Okay,
let's
go
back
and
have
a
look
at
this.
What
is
the
best
tool
I
can
recommend
these
folks
to
use
worked
out
is
probably
paros.
Oh,
maybe
it
wasn't
paris.
Maybe
it
was
a
version
of
paris.
I
was
hacking
around
with
because
I've
made
some
improvements
and
I've
been
thinking
about
moving
into
open
source
and
working
on
open
source
projects.
I
was
kind
of
hoping
to
find
a
web
security
tool
open
source
project
that
I
could
join
and
contribute
to
and
learn
that
way
I
thought.
D
Well,
maybe
I've
got
to
create
that
project
so
called
its
app
released.
It
created
a
set
of
usernames
all
called
sign-on
weren't
associated
with
me
in
any
way
in
case
all
the
security
people
laughed
at
me
and
I
had
to
go
away
and
then
released
it
and
I
offered
it
to
owasp
and,
to
my
surprise,
a
couple
of
months
later
I
always
said
yeah,
it's
the
noah's
project
and
I
saw
the
downloads
jump
by
400.
On
that
day,
I
thought
this
is
fun.
That's
how
it
got
started.
D
C
B
B
You
know
I
like
it
yeah.
This
is
how
I
do
it,
I'm
having
like
20
different
headphone
failures,
so
if,
throughout
this
demo
days,
do
you
see
me
wearing
different
headphones?
This
is
why,
but
again,
we
are
super
grateful
for
all
of
you
who
are
tuning
in
don't
forget
to
go
ahead
and
share
this
link
on
linkedin,
so
other
folks
who
are
interested
in
security
or
maybe
wanted
to
dabble
into
security,
didn't
know
where
to
get
started.
B
C
B
D
I
it's
a
lot
of
fun.
I
like
it.
You
know
I
like
having
a
project
like
this
to
really
get
my
teeth
into.
I've
worked
at
companies
before
and
worked
on
projects.
I've
really
enjoyed
and
they've
been
cancelled.
You
know,
there's
been
business
changes
and
I
like
really
getting
to
you
know
it's
nice
doing
new
things,
but
it's
also
nice
spending
time
and
doing
something
really
well,
particularly
when
you
keep
up
to
keep
on
seeing
what
more
needs
to
be
done.
D
It
is
spinning
plates
there's
way
too
much
to
do.
We
don't
have
enough
people
so
he's
like
yeah.
You
know
you're
spinning
plates
and
sometimes
it's
like.
Okay,
that's,
okay,
I'll
leave
that
and
you
go
back
and
put
a
new
one
up
and
start
and
then
there'd
be
a
crash.
It's
like.
I
missed
one
pick
up
some
pieces,
but
the
other
thing
is
working
with
people
got
some
great
people.
We've
got
a
core
team
of
four
of
us
now
and
it's
just
really
fun
working
with
them.
D
C
So
so
I've
got
to
ask
you
know
a
lot
has
changed
on
the
in
the
web
in
general
since
2009,
and
I
always
like
to
go
back
to
my
good
friend,
patrick
gray,
over
at
risky
business,
citing
all
of
the
sort
of
interesting
news
articles
that
happened
throughout
the
year
of
2021
and
beyond,
and
before
all
that
and
one
of
the
things
he
cited
was
in
2021.
More
cryptocurrency
was
stolen
in
terms
of
monetary
value
than
all
of
the
bank
heists
in
history
prior
to
2021..
E
D
Oh
god,
I
I
try
not
to
look
too
far
ahead.
I
mean
there's
so
much.
We
so
much
work
to
do
right
now,
so
I'm
gonna
think
a
lot
of
the
cryptocurrency
stuff.
I
get
the
feeling.
Some
of
it
is
a
lot
of
sellotape
and
string.
You
know
so
I
think
you
know,
there's
not
a
lot
of
security,
engineering
or
good
quality
engineering
gone
into
a
lot
of
these
solutions,
so
it
doesn't
surprise
me
that
a
lot
of
money
is
being
stolen
that
way
and
but
for
us
modern
web
applications
are
a
pain.
D
Traditional
web
applications
are
much
easier
for
security
tools.
Modern
web
applications
are
challenging
and
you
know
we've
got
a
lot
of
good
features
in
place,
but
there's
a
lot
more.
We
can.
We
can
do
there's
always
more
so
yeah.
I've
got
a
to-do
list
and
a
wish
list,
which
is
a
mile
long.
I've
actually
got
lists
of
lists.
D
So
if
anyone
wants
to
help
us,
you
know
there's
always
fun
stuff
to
do.
We've
actually
had
loads
of
great
contributions
from
students,
some
of
whom
have
gone
on
to
be
core
team
members.
We've
actually
got
a
list
on
the
website,
a
student
hall
of
fame
and
it's
been
great
fun
going
through.
You
know,
checking
out
the
linkedin
links
and
seeing
how
well
all
these
students
have
been
doing
so.
D
C
And
it's
a
great
resume
builder.
I
mean
there
are
so
many
people
trying
to
get
into
the
security
industry
trying
to
get
into
the
software
engineering
industry
with
just
how
much
demand
there
is,
and
it's
great
that
you
have
such
a
welcoming
culture
for
new
people
to
be
able
to
join
you
and
participate.
Definitely.
D
And
I
think
one
thing
you
know
it
takes
a
bit
of
effort
to
get
into
the
zap
core
team.
But
if
you
do,
I
think,
last
year
three
different
companies
approached
me
and
said
we
want
to
employ
someone
on
the
zap
core
team.
Who
can
we
employ
yeah?
So
if
you
get
on
the
zap
team,
you
will
get
job
offers.
Whether
you
want
to
accept
or
not
it's
another
matter.
I
accepted
one
of
them
with
stackhawk.
E
D
B
B
People
pivot
into
other
things,
and
now
you
know
in
the
oven
on
covet
a
lot
of
folks
are
thinking
making
different
decisions.
So,
if
you're
watching
this
and
you've
been
thinking
about
a
career,
switch
or
you're
already
a
developer,
but
you
want
to
dive
in
deeper
into
security
and
application
testing
hey
this
is
your
project
so
get
involved.
B
I
I
appreciate
you
sharing
that
and
the
opportunities
for
students
amazing
it's
great
to
see
that
trajectory
and
that
lift
up
right
from
the
moment
that
they
maybe
get
started
and
submit
their
first
vr
or
get
involved
with
the
project
to
being
professionals
and
doing
exactly
what
they
want
to
do
working
still
on
the
project.
So
that's
fantastic.
So
I
love
that.
Thank
you
for
sharing
that.
So
we're
talking
about
stuff,
we're
talking
about
you,
why
you
created
it
where
the
idea
came
from,
you
fix
your
own
problem,
which
I
love.
B
D
Java
yeah,
I
think,
and
one
of
the
first
programs
I
wrote,
was
actually
a
web
interface,
which
I
know
was
horrifically
insecure.
But
this
was
back
in
the
day
when
I
had
to
convince
management
that
a
web
interface
could
be
written
for
for
a
product,
and
there
was
this
new
language
just
come
out
java
and
I
wanted
to
play
with
it.
So
it
was
my
first
java
program
and
it
ended
up
being
the
web
interface
for
that
product
for
years
and
made
lots
of
money
not.
B
For
me,
how
about
that
I
gotta
I
gotta
quickly
quote
my
my
director,
martin
woodward,
who
says
you
youngans,
don't
know
how
good
you
have
it
every
time
we
start
talking
about
how
things
have
improved
so
much
so
yeah.
Thank
you
for
people
like
you
that
that
made
it
so
much
better
for
all
of
us,
but
when
you
were
building
it,
what
was
one
of
the
I
guess
most
difficult
features
to
build.
E
D
There
is
some
java
aspects,
but
most
of
it
is
javascript
and
runs
in
the
browser,
and
one
of
the
problems
is
we
haven't,
got
anyone
working
on
it
at
the
moment
we
don't
have
there
aren't
enough
people
working
on
zap
and
we
haven't
got
the
right
skill
set
or
people
haven't,
want
to
focus
on
it.
So
if
you've
got
any
javascript
developers
out
there,
who
want
a
a
really
fun
challenge,
doing
very
unusual
things,
very
all
the
things
you
shouldn't
do
at
all
we're
doing
horrible
stuff
with
the
hud.
D
This
is
a
lot
of
fun
because,
basically,
we
are
because
zap
is
a
sort
of
manipulator
in
the
middle
between
your
browser
and
zap
we
can
and
the
the
target
application.
We
can
do
anything
we
like
and
we
do
and
with
the
hud
we
actually
inject
javascript
inject
the
hud
into
the
target
application
which
is
horrific,
but
it
works.
C
D
D
So
I
mean
one
thing:
we've
heard
is
that
zap
is
quite
complicated.
There's
a
lot
going
on.
This
actually
is
quite
easy.
We
we've
hidden
loads
of
things,
so
I
could
actually
show
a
load
more
tabs
there,
which
we
hide
by
default
and
there's
right
click
options
everywhere.
So
one
of
the
problems
is
that
there's
so
much
functionality,
it's
difficult
to
for
people
starting
off.
Really,
we've
got
this
kind
of
welcome
screen
and
you've
got
the
automated
scan.
D
I
think,
to
start
with,
it's
really
good
doing
a
manual
explore
and
playing
around
with
these
things
manually.
So
you
get
an
idea
of
what's
going
on
and
normally
with
tools
like
zap,
you
would
need
to
configure
your
browser
to
proxy
through
zap
and
import
the
root,
ca
certificate
and
all
that
horrible
stuff.
E
D
Oh,
you
should
only
attack
sites
that
you
have
permission
to
test.
So
budget
is
actually
something
I'm
running
locally.
That's
fine!
We
actually
have
an
oauth
project,
the
vulnerable
application
web,
the
vwad
vulnerable,
vulnerable
application,
something
or
other.
So
we
have
a
list
of
all
the
vulnerable
applications
deliberately
vulnerable
applications.
We
know
about
so
there's
loads
of
fun
ones,
including
one
which
is
much
better
called
almost
juice
shop,
which
is
really
good,
but
isn't
so
good
for
automation,
which
is
why
I
tend
to
use
budget.
D
So
there's
lots
of
fun
things
to
play
around
with,
but
with
bought
you
I
mean
what
you
typically
do.
Is
you
want
to
explore
the
site
and
what
you'll
then
see?
If
you
switch
back
to
zap,
you
can
see
all
of
the
quests
the
browser
makes,
so
you
can
actually
see
everything's
going
on
and
we
build
up
this
site's
trees,
graphical
representation
of
the
structure,
so
we
can
see
on
the
budget
these
kind
of
things,
and
we
can
actually
look
at
the
request
and
response.
D
So
we
can
see
everything
that's
going
on,
then
I
mean
there's
lots
of
things.
What
you
can
do
is
particularly
if
you
right
click
here,
you'll
see
loads
of
options
and
we've
got
options
for
spidering.
So
if
you
want
to
kind
of
explore
the
site
automatically,
traditional
spider
is
very
fast
and
furious.
It
doesn't
handle
modern
web
applications
as
well.
That's
why
we've
got
the
ajax
spider
that
launches
browsers,
headless
ones
by
default
and
clicks
on
things,
so
that
can
explore
modern
web
application
much
more
effectively
the
active
scan.
D
This
is
where
we
actually
start
attacking
the
applications
and
yeah.
Definitely
only
do
this.
You've
got
permission
to
attack
your
applications,
but
that's
where
we
send
all
the
bad
stuff
and
try
and
find
vulnerabilities,
but
you'll
see,
there's
just
loads
of
different
options
and
right
click.
Yes,
just
loads
going
on.
I.
C
D
Yeah,
I
will
so
one
thing:
I've
just
I
mean
one
of
the
fun
things
you
can
do,
which
some
people
hope
you
know
people
hopefully
aware
of,
but
you
can
actually
intercept
things.
So
we
can
just
put
essentially
break
points
on
and
when
you
submit
them,
then
you
basically
get
the
request
and
you
can
change
it
on
the
fly.
E
E
D
D
Take
the
hud
tutorial:
it's
we've
got
a
lot
of
good
feedback
back
about
it.
It
tells
it
walks
you
through
all
the
features
for
now
I'll,
be
your
guide.
What
you'll
see
is
we
actually
have
we're
decorating
the
target
application
with
these
extra
controls
and
the
idea
is
we're
trying
to
bring
zap
into
the
browser,
and
we
want
you
to
because
I
think
a
lot
of
security
people
focus
on
the
security
tool
too
much
and
not
the
application
and
some
of
the
most
fun
vulnerabilities
are
actually
logical
vulnerabilities
in
the
application.
D
So
what
we
can
do
is
we
can
actually
focus
on
the
application
and
just
get
told
about
interesting
things,
and
what
we'll
see
is
there
was
a
little
alert
that
came
up
there
doesn't
matter
any
mystics.
We
can
still
see
these
things
so
you'll
see
yep,
cookie,
no
http
only
flag,
any
new
types
of
alerts
will
get
erased
and
we
can
actually
see
all
of
the
alerts.
D
C
Is
pretty
amazing
I
mean
especially,
you
know,
coming
from
that
mindset
of
kind
of
hunting
for
bugs
right
yeah
if
you're
a
developer,
and
you
just
want
to
walk
through
your
application
and
see
some
of
the
things
that
are
caught
by
this
heads-up
display
it's
kind
of
a
really
good
walk
through
for
someone.
That's
like
this
should
work
a
certain
way
and
then
suddenly
you
see
a
flag
like
that.
You're,
like
oh,
like
what
does
that.
D
Yeah,
we
can
still
see
all
of
the
history.
We
can
see
the
requests
and
responses
and
we've
got
the
sites
tree
here
as
well,
so
we
can
kind
of
expl.
We
got
the
same
kind
of
information,
same
basic
information,
but
the
one
thing
I
was
going
to
show
you
is
here's
a
good
example:
let's
just
let's
put
loads
of
these
in
and
we'll
find,
there's
actually
javascript,
which
presents
it
prevents
us
putting
more
than
12
in
so
what
can
we
do?
D
D
It
so
much
easier
and
we've
got
all
things
like
the
spider
and
the
active
scanning.
All
those
fun
things,
a
little
thing
so
see
here,
we've
got
this
little
show
enable
one.
If
we
go
to
the
contact
us
page
you'll
see
it's
now
two.
So
what
we're
trying
to
do
is
show
information.
That
means
there
are
two
hidden
fields.
We're
trying
to.
You
know
we're
showing
information
about
the
alerts.
D
C
E
D
A
C
Oh,
my
goodness,
there
are
so
many
ways
that
I
can
think
about
leveraging
this
and
attacking
an
application
to
your
point
sign,
and
it
makes
you
think
about
things
a
little
bit
differently:
you're,
not
constantly
looking
at
your
tool,
feedback,
you're,
looking
at
the
application
and
kind
of
seeing
things
as
you
walk
through
it,
which
is
from
a
manual
testing
perspective,
extremely
valuable.
Like
that's
that's
amazing
to
me,
yeah.
B
So
great
so
great
to
be
able
to
see
the
file
structure
and
everything
right
there
display
for
people
who
are
like
very,
very
mega
beginners
like
myself.
It
gives
you
like
a
good
run
through,
like
the
structure
of
the
application
you're
trying
to
test.
So
that's
really
cool.
I
like
to
be
able
to
see
that
this
is
awesome.
A
B
E
D
E
D
Because
one
of
the
things
we're
working
on
so
we
know,
zap
is
used
a
lot
in
automation,
but
we
found
that
you
know:
we've
got
different.
We've
got
different
ways
of
automating
zap.
You
can
use
these
package
scans,
which
work
well
but
they're
kind
of
tied
to
docker
and
that
can
be
difficult
to
extend
and
we've
got.
We
can
launch
that
in
demon
mode
and
got
full
control
over
the
with
the
api.
D
But
basically,
we
have
a
way
to
automate
zap
using
a
yaml
file,
and
you
can
actually
create
that
in
the
desktop
and
the
advantage
of
this
is
if
you've
got
any
settings,
particularly
things
like
authentication,
which
we're
still
we
haven't,
got
complete
authentication
control
in
the
automation
framework.
We're
still
working
on
that.
The
idea
is
you'll,
be
able
to
test
your
zap,
your
app
manually
with
zap
configure
zap.
So
it
handles
it
just
right
and
then
you'll
be
able
to
create
an
automation
framework
plan
from
it.
D
Perspective
exactly
and
you
can
run
that
from
within
zap
and
you
can
run
it
from
the
command
line
as
well.
So
I
will
run
that
we
can
see.
We've
kicked
off
the
spider
here
and
the
spider's
finished
we're
now
actually
going
through
the
waiting
for
the
passive
scan
to
finish,
which
is
down
here.
But
if
I
look
there's
actually
you
can
expand
this
one
here
and
you'll
see
one
thing
we've
put
in
is
these
contest
tests
and
what
we've
got
is
a
test.
D
D
But
if
you
weren't
checking
those
things,
then
you
wouldn't
know
that
you
just
think:
oh
the
scam
was,
it
ran
quicker
than
usual.
Didn't
find
anything,
that's
great,
so
you
know
I
want
to
have
we
have
we.
We
have
the
statistics
within
zap
and
you
can
basically
test
any
of
them
and
we've
got
we
by
default.
We
put
things
sensible
ones
in
like
when
you're
spidering
expected
than
a
certain
number
of,
and
you
know,
if
that's
not
good
enough,
you
can
change
it.
D
D
C
D
E
D
D
And
this
is
using
open
source
libraries,
so
they
are
much
easier
to
create
new
reports.
We
actually
had
a
report,
competition
and
some
of
the
winners
winning
reports
we
included
with
zap,
including
the
risk
and
conf
confidence.
One
modern
html
report,
high-level
sample
reports
and
we've
got
the
traditional
what
the
previous
ones
for
people
who
kind
of
rely
on
that
format.
D
C
Amazing,
especially
because
it
you
know
it
goes
to
show
the
sort
of
extensibility
right.
Maybe
you
have
your
own
reporting
format.
You
see
some
other
reports
in
there.
You
know
you
can
go
out
and
look
at
how
those
reports
are
built
and
maybe
start
to
build
together.
Your
own
style
of
report
that
you'd
want
to
include
that's.
D
C
E
E
C
D
B
D
B
E
C
B
D
So
I
mean
to
be
honest,
I'm
still
working
on
zap
full-time,
I
mean
that's.
What
stackhawk
enables
me
to
do,
which
is
brilliant,
but
the
reason
I
joined
stackhawk
is
because
what
then
allowed
me
to
work
on
zap,
but
two
I
believed
in
what
they
were
doing.
So
one
thing
we
we
became
very
aware
of
quite
early
on
was
zap
is
great
for
one
user.
If
you
want
to
bring
it
into
an
organization
and
use
it
at
scale
and
get
every
developer
using
it,
it's
hard,
I
integrated
it
in
mozilla
and
I
did
it.
D
We
had
this
plan
to
create
zap
as
a
service,
but
in
the
end,
so
a
software
as
a
service.
Zap
trouble
is
it's
a
huge
amount
of
work.
We
don't
have
enough
people,
we
just
didn't
get
around,
we
didn't
start
it,
and
it's
just
to
have
that.
I
think
you
really
need
to
have
a
company
behind
it.
That's
funding
it
and
able
to
make
money
out
of
it.
We
thought
about
setting
up
a
zap
company,
but
that's
not
really
my
skill
set,
I'm
not
the
entrepreneurial
type.
D
D
Had
a
chat
got
on
really
well
and
I
loved
their
approach
and
their
approach
was
very
different
from
a
lot
of
companies
and
security
companies
and
that
they
were
aiming
at
developers,
not
the
security
team,
and
this
means
you
can
actually
test
applications
much
earlier
on
the
development
life
cycle.
Instead
of
going
okay
development's
finished,
we
want
to
go
live
in
two
weeks.
Let's
get
the
pen
testers
in.
Oh,
my
god,
it's
horrible!
It's
a
car
crash,
there's
so
many
things
you
can
test
really
early
on
in
development.
D
You
know
once
you've
got
something
built
and
running,
you
can
start
testing
it,
and
this
isn't
going
to
put
pen
testers
out
of
business.
You
know
there's
loads
of
fun,
things
that
only
they
will
know,
but
it
gets
rid
of
the
rubbish.
It
gets
rid
of
stuff
that
you
know
you
can
find
stuff
early
on
and
fix
it,
and
you
know
whether
it
means
that
you
actually
need
to
put
new
libraries
in
place
or
extra
training
for
people
or
standardized
ways
of
doing
things.
D
You
know
you
can
do
that
early
on,
have
it
in
place
and
have
a
much
more
solid
application
security-wise
before
the
pentesters
see
it
and
it's
awesome.
I
love
their
approach
and
you
know
I
might
have
mentioned
you
know
I
kind
of
thought
this
is
a
company
to
watch.
I
might
have
mentioned
that.
You
know
I
wasn't
able
to
spend
as
much
time
on
zap
as
I
wanted
to
at
mozilla
because
of
change
of
priorities
and
then
joni.
The
ceo
got
in
touch
with
the
next
day
and
said
simon.
C
That's
amazing,
yeah.
That's
that's
and
agree
great
story
of
working
in
open
source,
solving
your
own
problems,
working
to
continue
to
maintain
it
over
time
and
now
making
a
career
of
it
is
it's
a
great
story
and
that's
that's,
I
think
every
developer's
dream
that
builds
open
source
projects
and
communities.
So
congratulations.
D
B
D
Yes,
I
hoped,
but
I
mean
you
know
it's
when
you
start
something
you
see
the
potential,
but
you
never
really.
You
don't
really
think
it's
gonna
get
there
and
you
know
we
think
that
zap
is
now
the
most
frequently
used
web
application
security
scanner
in
the
world,
including
all
the
commercial
ones.
So-
and
you
know
I
always
thought
of
conference-
would
be
great,
but
last
year
we
actually
had
one.
D
D
B
C
C
E
C
D
D
Yeah
I
mean
you
can't.
I
haven't,
found
a
way
to
actually
inject
zap
into
the
browser
running
in
in
your,
but
so
you
have
to
do
it
by
the
desktop.
So
it's
a
bit
of
a
cheat,
but
even
so
it's
there's
a
lot
of
fun
things
and
I'd
love
to
play
around
with
vr
and
start
programming,
and
it's
just
finding
time.
You
know
it's.
Oh.
C
B
D
Yeah
I
mean
well,
I
mean
osf
has
got
loads
of
open
source
projects.
All
of
our
stuff
is
completely
free.
I've
mentioned
juice
shop.
It's
a
really
great
vulnerable
application.
It's
actually
so
bjorn
saw
budget.
The
one
I
created
thought
I
could
do
better
than
this
and
he's
done
way
better.
So
it's
a
really
fun
thing.
D
I
actually
ran
a
capture
the
flag
event
at
one
of
the
mozilla
rule
hands
and
we
had
qa
developers
and
pen
testers,
all
playing
with
it
and
there's
stuff
for
the
beginners,
and
even
the
pen
testers
were
having
fun.
That
was
until
one
of
the
qa
got
now
one
of
the
well.
The
ops
guys
actually
started
beating
him
in
the
scores.
D
I
don't
know
the
pentagon
is
not
serious
then,
and
they
they
put
some
hours
in
to
really.
But
you
know
it
was
touch
and
go
at
one
stage.
So
juice
shop
is
a
really
fun
project.
What
else
yeah
so?
And
I
think
I,
if
you
talk
about
open
source
projects,
I'm
still
going
to
give
a
shout
out
to
firefox.
You
know
a
lot
of
people
seem
to
like
to
have
digs
at
firefox,
but
I've
always
been
a
fan
and
it
needs
more
love
and.
C
It
was,
I
think,
you
know
in
a
lot
of
our
pre-talk.
I
had
asked
you
about
kind
of:
what's
your
favorite
browser
to
use
for
testing
and
for
me,
firefox
was
the
tool
that
I
used.
That
would
kind
of
separate
all
my
concerns
of
browsers
that
I
would
use
for
for
my
daily
driver
and
browsers
that
I
would
use
for
testing
and
firefox
always
felt
like
the
right
thing
for
me
to
jump
into.
So
definitely
you
know
plus
one
to
firefox.
D
B
B
Thank
you
so
much
simon.
This
has
been
so
enlightening.
I
learned
so
much
I
you
know
if
you're
a
beginner,
it
doesn't
matter
where
you
are,
if
you're
a
developer,
if
you've
never
taken
a
look
at
security,
do
you
think
that
that's
the
job
of
somebody
else
we're
here
to
tell
you?
It
is
your
job
too.
It
is
your
responsibility
from
the
very
first
line
of
code
and
there
is
a
ton
of
incredible
tools
out
there
shout
out
to,
of
course,
zab.
B
B
Taking
you
know,
there's
still
gonna
be
plenty
of
other
things
that
pen
testers
and
other
security
specialists
people
can
focus
on,
but
this
is
actually
gonna
make
you
a
better
developer,
so
all
of
you
watching
own
it
take
a
look
at
that.
Take
a
look
at
oas
and
support
these
projects
that
are
just
making
us
all.
You
know
better
at
what
we
do
right:
helping
write,
better,
faster,
secure
code.
So
it's
been
amazing
to
have
you
here
today,
simon
thank.
B
Thank
you.
So
let's
do
some
call
to
actions.
Let's
give
folks
some
homework.
First
of
all,
go
register
force.com,
because
it's
gonna
be
fun.
It's
free
and
you're
gonna
get
to
interact
with
people
like
simon
101
and
hello.
That
is
a
true
treat.
Second
of
all,
if
you
haven't
been
involved
with
security
application
testing,
but
that's
something
that
you're
curious
about.
B
There's
tons
of
really
great
video
tutorials
on
this
app
website
itself
and
we've
plugged
aj
shout
out
to
aj
thank
you
and
the
production
booth
he's
plugged
out
some
of
the
links
and
we'll
share
them.
Also
on
the
notes
when
we
upload
this
to
youtube
so
that
you
can
go
on
and
check
out
those
tutorials
from
xero
really.
So,
even
if
you've
never
done
this
kind
of
testing
you
can
you
can
start
get
started
by
watching
them.
Follow
simon
on
social,
follow
simon
on
twitter,
I
will
plug
your
handle
here.
C
Yeah
for
other
web
application
security
projects
go
to
owasp.org
to
simon's
point
they're,
a
great
community
and
have
a
lot
of
different
things
that
need
your
support
as
a
development
community
as
well
as
security
community
and
beyond
that
yeah
zapcon.io
go
check
it
out.
I'm
excited
to
register
for
it
and
see
that,
and
I
look
forward
to
hearing
more
about
the
work
that
you're
going
to
be
doing
and
all
the
great
things
that
will
come
now
that
you're
fully
able
to
focus
on
this
assignment.
This
is
going
to
be
great.
B
Yes,
thank
you
so
much
and
thank
you
all
of
you
who've
been
watching
us.
We
have
folks
joined
from
everywhere.
Some
we
have
people
from
paris,
nigeria,
turkey.
There
were
tons
of
shout
outs
and
a
lot
of
thank
yous
to
echo
what
keith
mentioned
at
the
beginning
of
the
demo
days
program
today.
You
know
your
work
has
been
just
instrumental
and
a
lot
of
people
getting
started
and
you
know
making
a
career
out
of
security
testing.