Mozilla's web security guru talks open source

I suppose there's less of a testing background, but Björn Kimminich has just joined the team and he's from a QA background. He pointed out that there aren't many ZAP regression tests. He's right, and he's started writing them. So we're finally getting some unit tests, which I'd been meaning to do for some time. We could use more people working on the tests, working on the documentations and working on it generally, but that's always the case.

LXF: If there was one piece of advice for people to develop secure web apps, what would it be?

SB: Start learning about security. If you don't know anything about security, you can't build secure web apps. Something like the Open Web Application Security Project (OWASP) top ten risks to web applications is a great place to start. You can start learning about cross-site request forgeries and things like that, which a lot of developers don't know about.

LXF: How do you deal with the issue that ZAP will be used by some bad guys?

SB: That was something I worried about before releasing ZAP. The justification I've got, and the one I still think is valid, is that the bad guys already know how to do all this. The bad guys know the techniques, and they've got their own tools.

A lot of it is knowledge - the bad guys have it and the good guys don't - so I'm aiming this at the good guys. I'm trying to make it as easy as possible with things like integrating ZAP in a continuous integration environment - things that the bad guys aren't interested in. We focus on things that the good guys can use, and it's levelling the playing field to give them a fighting chance.

LXF: Have you made any design decisions that make it harder for black hats to use?

SB: There are certain things that people have asked for that I don't really want to develop - other people can develop them - so there are definitely things that I can think of (which I won't mention) that I would not be comfortable implementing. But in the end, the bad guys will have the tools, and theywill use them to attack your web applications. They're attacking your web applications right now.