CII’s Nicko van Someren weighs in on the Common Vulnerability and Exposures (CVE) assigment system and the implications of delay, giving attackers time to develop and refine their tools and techniques.
Christina Mulligan reports on CII’s latest news announcing its investment in the Open Web Application Security Project Zed Attack Proxy project (OWASP ZAP), a security tool designed to help developers identify vulnerabilities in their web apps.
Grant Accelerates Work to Deliver OWASP ZAP as a Service, Making it Accessible to More Developers
SAN FRANCISCO, June 3, 2016 — The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify, fund and improve the security of critical open source projects, today announced it is investing in the Open Web Application Security Project Zed Attack Proxy project (OWASP ZAP).
This testing tool helps developers automatically find security vulnerabilities in web applications during development and testing. Both easy to use and freely available, it appeals to a wide range of users with varying security knowledge, even first-time testers.
CII’s sponsorship adds a full-time core developer to work on accelerating ZAP as a Service, which will allow ZAP to also be deployed as a long running, highly scalable, distributed service accessed by multiple users with different roles.
Recently voted the most preferred open source testing tool for the second time in three years by users and ToolsWatch readers, OWASP ZAP is one of the world’s most popular security tools. Hundreds of volunteers around the globe help to continually improve and enhance OWASP ZAP, according to Project Lead Simon Bennetts, who works for Mozilla as part of its security team.
“OWASP ZAP is a proven and powerful security tool that will gain even broader applicability with an increase in dedicated resources,” said Emily Ratliff, senior director of infrastructure security, The Linux Foundation. “CII is excited to help advance work that’s already underway to run ZAP in new, different ways, especially in partnership with like-minded organizations like OWASP and Mozilla as they work to ensure the Internet is a safe, global resource.”
OWASP ZAP joins projects like OpenSSL, OpenSSH, NTPd and other fundamental projects CII and its members invest in to encourage software development best practices and secure coding processes.
“The CII grant has had an immediate impact on OWASP ZAP. We’ve added a developer, improved coding best practices, set up a predictable release schedule and roadmap and performed audits to help future-proof our code,” said Bennetts.
“I’m very excited to see ZAP get the commitment of a full time developer,” said Michael Coates, former chairperson of the OWASP board, a not-for-profit that ensures ongoing availability and support for OWASP. “ZAP is a pivotal tool for use in assessing the security of a web site. As an open source project that is free for everyone to use, the commitment of development resources from CII will greatly advance its capabilities and usability for all.”
“With a service-based offering, ZAP will extend itself to a whole new level of maturity and usability that will amplify its value to the community,” said Matt Konda, chair of the OWASP Board of Directors. “Even more than that, ZAP continues to be a model for what OWASP can achieve.”
CII funds projects that help the open source community’s ability to deliver and maintain secure secure code. Additionally communication security is a critical need, so funding is also prioritized for projects that improve related, often at-risk services like embedded, IoT, mobile, server and web applications. To submit a grant proposal, apply online using the CII grants management solution. Funding decisions are made on a rolling basis, so grants are issued at any time.
About Core Infrastructure Initiative
CII is a multimillion-dollar project that funds and supports critical elements of the global information infrastructure. It is organized by The Linux Foundation and supported by Amazon Web Services, Adobe, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, salesforce.com, and VMware. Moving beyond funding projects, CII is introducing pre-emptive tools and programs to help the open source ecosystem and the companies who support it deploy secure coding practices. For a full list of CII grantees, please visit: https://www.coreinfrastructure.org/grantshttps://www.coreinfrastructure.org/grants.
About The Linux Foundation
The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.
The Linux Foundation and Linux Standard Base are trademarks of the Linux Foundation. Linux is a trademark of Linus Torvalds.