OWASP ZAP is integral to how Mozilla secures the services powering core Firefox features including Accounts, Addons, and Sync for millions of individuals around the world. We support the open source development of ZAP, because it helps us ensure the security and privacy of our users keeping the Internet a global, public resource open and accessible to all.
On the security operations team, we run daily headless ZAP baseline scans against 241 sites to detect OWASP Top Ten and other vulnerabilities, improve the quality of reports to our web bug bounty program, and track metrics on the adoption of security controls like Content Security Policy and Strict Transport Security headers. To date baseline scans have found issues on 73 sites. In our CI/CD pipelines, we run ZAP to prevent insecure applications from being deployed to staging and production environments. We also run ad hoc ZAP tests using the HUD and active scanner, OpenAPI, and GraphQL addons to review and pentest new applications and features and confirm vulnerability reports and fixes.