Faster and More Capable, OWASP Zed Attack Proxy (ZAP) 2.12.0 Available Today

Share Article

World's most widely used web app scanner gives developers and security more comprehensive scanning and greater speed all in one open-source package.

News Image
Expanding the number of protocols and URLs ZAP can scan is a huge enhancement, and improving the speed of the scans themselves means that the developers and security professionals who rely on ZAP can get more done faster—which is always a plus.

Faster scan speeds and more comprehensive scanning have arrived in the world’s most widely used open-source web app scanner, OWASP Zed Attack Proxy (ZAP). Simon Bennetts, founder and chief maintainer of ZAP announced today on behalf of the community that version 2.12.0 is now available for download under the Apache 2 license.

***Download ZAP 2.12.0 here***
***Read more in the release blog post***

A dynamic application security testing (DAST) tool, ZAP helps users find security vulnerabilities in their code. The latest version delivers a new and improved networking stack, greater flexibility to accommodate future updates, a multi-threaded passive scanner for faster scanning, and a slate of dependency updates:

  • A new networking stack allows ZAP to support new protocols like HTTP/2.
  • The spider has been moved to an add-on, allowing the community to update ZAP at any time. As a bonus, the spider also can find many more URLs compared to the previous version.
  • A multi threaded passive scanner significantly speeds up the time required to complete scans.
  • A large number of active and passive scan rules have been promoted.
  • Bit.ly telemetry removal—all “calls home” now only use the zaproxy.org domain.
  • The stable release also includes dependency updates (including log4j). While not exploitable in 2.11.1, they did still trigger vulnerability scanners.    

“More and more, our community is looking for improvements to ZAP that make it more capable for the kinds of scans they perform every day,” said Bennetts. “Expanding the number of protocols and URLs ZAP can scan is a huge enhancement, and improving the speed of the scans themselves means that the developers and security professionals who rely on ZAP can get more done faster—which is always a plus. I also feel privileged to have been able to join a team that makes it possible to support ZAP and enhance its features every day.”

Bennetts recently joined the team at Jit.io, the company codifying product security for developers. At Jit, Bennetts will continue to focus on the development of ZAP. ZAP is one of the underlying scanning technologies for the Jit DevSecOps platform, which enables developers to implement MVS—“Minimum Viable Security”—from Day Zero of product development and more easily achieve continuous security.

ZAP is an important tool for our industry and for the Jit platform, which is why we feel so strongly about supporting Simon’s work day in and day out,” said David Melamed, CTO of Jit. “We applaud the work of the entire open-source ZAP community for their consistent efforts in improving and maintaining one of the most important DevSecOps tools developers have today. It certainly plays a key role in fulfilling our vision at Jit, which is to empower developers to build secure apps from Day Zero.”

*About ZAP*
Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible. The ZAP mission is to: (1) be a welcoming, community-oriented project that anyone can get involved in; (2) make the online world that little bit safer; (3) be the best open-source web security tool. To learn more about ZAP or participate in the community, visit https://www.zaproxy.org/community/.

*About Jit*
Jit was founded in 2021 by David Melamed and Aviram Shmueli as well as FXP’s Gil Zimmermann, Ron Zalkind and Tsahy Shapsa. It helps modern engineering teams developing cloud-native software and using continuous integration/continuous development (CI/CD) easily own product security without the common overhead. The company is based in Tel Aviv, Israel, and backed by boldstart ventures along with TechAviv, FXP, Insight Partners, Tiger Global Management and several strategic angel investors. https://jit.io/
# # #

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Robert Cathey
Visit website