Mozilla's web security guru talks open source

Simon Bennetts
The Zed Attack Proxy is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications

Mozilla is about more than just web browsers - it's an organisation committed to making the web a better place for users. As part of this, it's funding development of a tool to help web developers make their sites more secure: the Zed Attack Proxy (or ZAP).

Our sister magazine Linux Format met lead developer and security campaigner Simon Bennetts to talk about ZAP, Mozilla and black hats.

LXF: Can you let us a little bit about how you started using open source software?

SB: I've been using open source for many years as a developer. I really like it, and I like the principals behind it, but I'd never had the opportunity to contribute to any. I'd tried to convince previous companies that some of our products should be open, but to no effect. Those are commercial decisions, which I typically don't get involved in. I wanted to have a project to work on, and I wanted to learn about security, so I decided to start work on ZAP, as it became. It all came from there, really.

LXF: And you're now working for Mozilla. What's the culture like?

SB: Completely bizarre. Really strange. I've come from a commercial background, and the discussions we have are completely different. You have discussions about whether you should have the discussions in public or not. It's all about what's best for the users - what's best for people who use the internet. It's a very accepting culture and it's a very supportive culture. It's all about doing the right thing, which is really nice to be part of.

LXF: Can you tell us a bit about ZAP. What's it for? Who is it aimed at?

SB: I'm trying to aim it at as wide an audience as possible. It's a tool for finding vulnerabilities in web applications. It's used by security teams - professional penetration testers - but my focus is to get developers, functional testers and quality assurance using it because I think it's important that they understand security.

I believe that you can't create secure web applications unless you have some understanding of web application security. This is a way of understanding that. It allows you to hack your own web applications and get some understanding of what the bad guys are going to do.

LXF: What's the thing that's surprised you most about working on an open source project?

SB: I suppose the willingness of people to help. I wanted ZAP to be a community project because I think the strength of open source comes from when anyone can contribute. It's been great getting people involved, people to helping out and people doing some really great work. Dealing with the people has been a real pleasure.

LXF: How many contributors are there?

SB: Quite a lot. We have a list of credits on the website that's included with ZAP as well. There are 30 or 40 names on there. About half a dozen contribute code regularly, and some people as and when. It is a community project, so I want people to get involved.

We're very supportive of new people, so whether you're a developer who wants to learn about security or an expert in security who wants to learn more, then we're happy to help you. I'm happy to spend an hour helping someone do something that would take me 20 minutes to do myself, because that means that the person can do more in the future.

Mozilla is diversifying into mobile

Mozilla is diversifying into mobile

LXF: Are there any skills shortages you've found in the open source community?

SB: Documentation! I haven't found a shortage of security skills; surprisingly. ZAP has taken off in the security community, so there's people working on ZAP that know a lot more about security than I do. I'm still learning. I guess we all are!