Any application exposed to the internet will be attacked, either by automated tools or manually by individuals looking to compromise it and its users. Security should be considered throughout the development process, but testing for security vulnerabilities (penetration testing) is a key part of secure software development. This is a particular challenge for open source projects as most developers have limited security experience and often don't have the funds to pay for external expertise. This talk introduces the OWASP Zed Attack Proxy (ZAP), an integrated penetration testing tool for finding vulnerabilities in web applications. It is completely free, open source and cross platform, as well as being a community orientated project that actively encourages participation. While ZAP is used by security professionals, it is also ideal for anyone new to web application security and includes features specifically aimed at developers. ZAP can be run interactively, but it also supports a REST API, making it ideal for including in a continuous integration environment. Simon will show how ZAP can be used to find vulnerabilities, both manually and as part of an automated build. He will also give an overview of some of the more advanced features, and explain how they can be used for more complex security testing.