Simon Bennetts, Founder and Chief Maintainer of OWASP Zed Attack Proxy (ZAP), have announced on behalf of the community that version 2.12.0 is now available for download under the Apache 2 license. A dynamic application security testing (DAST) tool, ZAP helps users find security vulnerabilities in their code. The latest version delivers a new and improved networking stack, greater flexibility to accommodate future updates, a multi-threaded passive scanner for faster scanning, and a slate of dependency updates.
New updates include:
- A new networking stack allows ZAP to support new protocols like HTTP/2.
The spider has been moved to an add-on, allowing the community to update ZAP at any time. As a bonus, the spider also can find many more URLs compared to the previous version.
- A multi threaded passive scanner significantly speeds up the time required to complete scans.
- A large number of active and passive scan rules have been promoted.
Bit.ly telemetry removal—all “calls home” now only use the zaproxy.org domain.
- The stable release also includes dependency updates (including log4j). While not exploitable in 2.11.1, they did still trigger vulnerability scanners.
Bennetts recently joined the team at Jit.io, the company codifying product security for developers. At Jit, Bennetts will continue to focus on the development of ZAP. ZAP is one of the underlying scanning technologies for the Jit DevSecOps platform, which enables developers to implement MVS—“Minimum Viable Security”—from Day Zero of product development and more easily achieve continuous security.