The Linux Foundation’s Core Infrastructure Initiative (CII) is continuing its commitment to help fund, support and improve open-source projects with a new investment. The organization has announced it is investing in the Open Web Application Security Project Zed Attack Proxy project (OWASP ZAP), a security tool designed to help developers identify vulnerabilities in their web apps.
“In addition to its use as a security testing tool, it also educates the developers about how to remediate issues that it has found,” said Emily Ratliff, senior director of infrastructure security at the Linux Foundation. “Web applications continue to be frequently targeted for attack and are often vulnerable, to the point that the security community jokes about ‘PHP Golf’—the game of churning out CVEs on short order to make yourself look good as a security researcher.”
(Related: Cigital has a security manifesto for agile)
CII funding aims to help projects deliver and maintain secure code, and focuses on projects that have an impact on the developer community. With this funding, Ratliff explained that a core developer of OWASP ZAP will now be able to commit to the project full-time and advance its capabilities and usability. In addition, it will help ZAP be deployed as a long-running, scalable, distributed service that can be accessed by multiple users.
“This investment will enable the preliminary work for developers to be able to use ZAP as a service rather than as a desktop application. This means that it can be installed once per team rather than on every developer’s desktop. Ultimately, it can be provided as a service by organizations which aggregate security tools to simplify and expedite security testing of open source software,” said Ratliff.
According to Simon Bennetts, project lead for OWASP ZAP, the funding has already made an impact. “We’ve added a developer, improved coding best practices, set up a predictable release schedule and road map, and performed audits to help future-proof our code,” he said.
CII was created in the aftermath of OpenSSL’s Heartbleed bug. It has since funded projects such as OpenSSL, OpenSSH, ntpd, the Linux Kernel Self Protection Project, the Fuzzing Project, Reproducible Builds, GnuPG, and False-Positive-Free Testing with Frama-C.
“CII is excited to help advance work that’s already underway to run ZAP in new, different ways, especially in partnership with like-minded organizations like OWASP and Mozilla as they work to ensure the Internet is a safe, global resource,” said Ratliff.