ZAP History: 2009 - The Pentest

In 2009 I was a Java developer / team leader and led a small team which developed an online service for a major accounting software company.

As this service was considered to be security critical I insisted that an external pentest team was hired to ensure the software was suitably secure. To be honest I wasn’t too worried as we had seriously considered security throughout the process so I was fairly confident that the report would just show what a good job we had done.

I remember walking into the room in which we’d set up the pentesters after just one hour, to check they had everything they needed, only to find one of them logged into our admin console as me. We had only given them test credentials, and they already had admin access to the system! In this particular case it was not my service that was at fault, they had in fact cracked the whole company’s Single Sign On system!

The final report, when it was delivered, looked like a car crash. I’ve since found out that it actually wasn’t that bad and have now written much more damning reports myself. However it also included vulnerabilities that I’d never heard of, including things like Cross Site Request Forgery.

I realised that I knew much less about web security than I thought, and that I needed to learn a lot more very quickly! The pentesters pointed me to OWASP, which I’m afraid to say I’d never heard of, and so I started with the OWASP Top Ten before moving on to some of the other OWASP guides. While the guides were very good, I find that I learn best by doing things rather than just reading about them, so I started playing around with various open source security tools.

I wanted to find a tool I could use to run scheduled security tests on my services as well as using manually to help me understand security better.