2022 in Review

Posted 565 Words

2022 was an eventful year for ZAP, and mostly a very successful one.

We:

According to Open Hub we had a total of 2528 commits across the 4 main repos thanks to 63 contributors.

And based on our Telemetry the Headline Statistics for 2022 were:

  • Number of Times ZAP was Started: 14 Million
  • Number of Active Scans: 9 Million
  • Number of Alerts Raised: 5.6 Billion
  • Number of Active Scan Messages Sent: 15 Billion

Website changes

This website has seen a steady stream of new content throughout the year.

  • In January we started strongly with an all new and very comprehensive Contributing Guide.
  • In February we added the Mission Statement and Core Team pages.
  • In March we added many more Statistics and the Test Scans page where you can see how well ZAP does against a growing set of vulnerable apps. To date we are not aware of any other web scanner that published this information.
  • The Burp to ZAP Feature Map was added in April.
  • July saw us add the Constants page to help anyone using the ZAP API and scripts as well as the start of the ZAP History pages.
  • The Roadmap was added in September, the same month we started publishing monthly updates.
  • And over the year we published 21 Blog Posts.

Networking Changes

In February we announced the new ZAP networking layer.

This was a major change to the ZAP networking stack but one that was necessary in order to support more modern protocols. Significant work continued on the networking code throughout 2022.

This has culminated in full support for HTTP/2 in the latest weekly releases.

ZAPCon

ZAPCon was held on March 8th-9th and was very successful. Over 5 thousand people registered and all of the videos are available online.

It is a shame that due to subsequent events this is likely to be the last such event for the foreseeable future.

Sponsorship Problems

In June we lost our previous Platinum sponsor and I asked the community for help funding ZAP development.

I was blown away by the responses and was in the very fortunate position to receive a significant number of very generous offers of support.

In the end I decided to join Jit where I can still focus on ZAP while helping Jit build a world leading security orchestration platform.

Google Summer of Code

We took part in Google Summer of Code once again, and this years student, Arkaprabha Chakraborty created the new Param Digger add-on based on the popular Burp extension Param Miner.

2.12.0

ZAP 2.12.0 was released in October and was dubbed the Ten Thousand Star release thanks to the main zaproxy/zaproxy repo reaching 10,000 stars.

This was a major release for us and included:

  • The new networking add-on
  • Migration of the standard spider to an add-on
  • Multi-threaded Passive Scanner
  • Bit.ly telemetry removal
  • Scan rule promotions
  • Dependency updates
  • New add-ons
  • Desktop HTML injection fix

Future plans

We have only just released ZAP 2.12.0 … but we are actually planning to release ZAP 2.13.0 in the relatively near future!

Stay tuned for more announcements about this surprise release soon 😁.

Thank you to everyone who has contributed to ZAP in any way, and wishing you all a successful and secure 2023!