Mozilla's web security guru talks open source

News
By
published

Mozilla is about more than just web browsers

I suppose there's less of a testing background, but Björn Kimminich has just joined the team and he's from a QA background. He pointed out that there aren't many ZAP regression tests. He's right, and he's started writing them. So we're finally getting some unit tests, which I'd been meaning to do for some time. We could use more people working on the tests, working on the documentations and working on it generally, but that's always the case.

LXF: If there was one piece of advice for people to develop secure web apps, what would it be?

SB: Start learning about security. If you don't know anything about security, you can't build secure web apps. Something like the Open Web Application Security Project (OWASP) top ten risks to web applications is a great place to start. You can start learning about cross-site request forgeries and things like that, which a lot of developers don't know about.

LXF: How do you deal with the issue that ZAP will be used by some bad guys?

SB: That was something I worried about before releasing ZAP. The justification I've got, and the one I still think is valid, is that the bad guys already know how to do all this. The bad guys know the techniques, and they've got their own tools.

A lot of it is knowledge - the bad guys have it and the good guys don't - so I'm aiming this at the good guys. I'm trying to make it as easy as possible with things like integrating ZAP in a continuous integration environment - things that the bad guys aren't interested in. We focus on things that the good guys can use, and it's levelling the playing field to give them a fighting chance.

LXF: Have you made any design decisions that make it harder for black hats to use?

SB: There are certain things that people have asked for that I don't really want to develop - other people can develop them - so there are definitely things that I can think of (which I won't mention) that I would not be comfortable implementing. But in the end, the bad guys will have the tools, and theywill use them to attack your web applications. They're attacking your web applications right now.

Ben Everard
Latest in Security
China
Chinese hackers who targeted key US infrastructure charged by Justice Department
An American flag flying outside the US Capitol building against a blue sky
Mass federal layoffs will have “devastating impact on cybersecurity, former NSA cybersecurity director warns
A hand reaching out to touch a futuristic rendering of an AI processor.
North Korean fake job hackers are going the extra mile to make sure their scams seem legit
A hand reaching out to touch a futuristic rendering of an AI processor.
Google Cloud unveils new AI Protection security tools, no matter which model you use
A TV remote pointing at YouTube logo
YouTube warns of phishing video using its CEO as bait
China
Microsoft says Chinese Silk Typhoon hackers are targeting cloud and IT apps to steal business data
Latest in News
Stock photographs of people smiling and looking at laptops in a small business environment.
This web hosting platform elevates your online presence
The Samsung Galaxy S25 Edge on display at Galaxy Unpacked
Exclusive: the Samsung Galaxy S25 Edge will have durability to match its ‘sexy’ form
Metaphor: ReFantazio
Sega was Metacritic's highest-rated publisher of 2024 thanks to the critically acclaimed Metaphor: ReFantazio and Like a Dragon: Infinite Wealth
AirPods Pro Review
Apple has quietly updated its guidance on how to clean your AirPods, and suggests you buy a kit… from Belkin
China
Chinese hackers who targeted key US infrastructure charged by Justice Department
A screen shot of Lady Gaga in her interview with Zane Lowe for Apple Music
Lady Gaga’s Spotify press conference is being live streamed today – here’s where you can watch Spotify’s big step forward in fan inclusion
More about security
China

Chinese hackers who targeted key US infrastructure charged by Justice Department
A hand reaching out to touch a futuristic rendering of an AI processor.

North Korean fake job hackers are going the extra mile to make sure their scams seem legit
AI Learning for kids

AI doesn't belong in the classroom unless you want kids to learn all the wrong lessons
See more latest
Most Popular
The Samsung Galaxy S25 Edge on display at Galaxy Unpacked
Exclusive: the Samsung Galaxy S25 Edge will have durability to match its ‘sexy’ form
Stock photographs of people smiling and looking at laptops in a small business environment.
This web hosting platform elevates your online presence
Three photos of the Dyson Supersonic r hair dryer
Dyson just released a consumer version of its best pro hair dryer, and I can't wait to get my hands on one
Metaphor: ReFantazio
Sega was Metacritic's highest-rated publisher of 2024 thanks to the critically acclaimed Metaphor: ReFantazio and Like a Dragon: Infinite Wealth
AirPods Pro Review
Apple has quietly updated its guidance on how to clean your AirPods, and suggests you buy a kit… from Belkin
Foldable iPhone
New foldable iPhone rumors predict Apple’s bold plans – here are 6 things to expect, from cameras to launch date
A screen shot of Lady Gaga in her interview with Zane Lowe for Apple Music
Lady Gaga’s Spotify press conference is being live streamed today – here’s where you can watch Spotify’s big step forward in fan inclusion
13-inch and 15-inch MacBook Air M4 in Sky Blue
I saw Apple's new 13- and 15-inch MacBook Air with M4, and here's why Sky Blue is my new favorite color
China
Chinese hackers who targeted key US infrastructure charged by Justice Department
A hand reaching out to touch a futuristic rendering of an AI processor.
North Korean fake job hackers are going the extra mile to make sure their scams seem legit