OWASP Zap Reviews

Name: OWASP Zap
Brand: OWASP
Rating: 3.8 (38 reviews)

Vendor: OWASP

3.8 out of 5

38 reviews
87% willing to recommend

844 followers

Post review

What is OWASP Zap?

OWASP Zap is a free and open-source web application security scanner.

Get the OWASP Zap Buyer's Guide and find out what your peers are saying about OWASP Zap, SonarQube Server (formerly SonarQube), Veracode and more!

OWASP Zap is the #7 ranked solution in AST tools. PeerSpot users give OWASP Zap an average rating of 7.6 out of 10. Based on the analysis of the 38 most recent OWASP Zap reviews, the overall sentiment is positive, with a sentiment score of 7.7. OWASP Zap is most commonly compared to SonarQube Server (formerly SonarQube): OWASP Zap vs SonarQube Server (formerly SonarQube). OWASP Zap is popular among the large enterprise segment, accounting for 61% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 19% of all views.

Helped 823,875 peers since 2012

Featured reviews

Amit Beniwal

Project Manager at Al Hassan LLC

There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores. Sometimes, a vulnerability initially categorized as high severity may be reduced to medium or low over time after security patches are applied. This alignment with the present severity score and CVSS score could be improved.

Read full review

AnkithKumar

Application Security Consultant at Capgemini

I'd like to see more regular updates with new features and I'd like to see resources where users can internally access a learning module from the tool. It would be helpful for any user interested in developing their skills. They have all the built-ins but it's not user-friendly in the sense that the UI is not as easy as you'd find in a solution such as the Burp Suite.

Read full review

JoelGeorge

Associate at Tata Consultancy

The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more. It should have more reporting options because the reporting options are currently only in HTML, XLS, and so on, but there is nothing in PDF or Word, which makes it a bit less user-friendly. It needs more comprehensive reporting. It already has a reporting system, but it is just not user-friendly.

Read full review

OWASP Zap mindshare

As of December 2024, the mindshare of OWASP Zap in the Static Application Security Testing (SAST) category stands at 5.2%, down from 6.3% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Static Application Security Testing (SAST)

PeerAnalyst reports

Type	Title	Date
Category	Static Application Security Testing (SAST)	Dec 17, 2024	Download
Product	Reviews, tips, and advice from real users	Dec 17, 2024	Download
Comparison	OWASP Zap vs SonarQube Server (formerly SonarQube)	Dec 17, 2024	Download
Comparison	OWASP Zap vs Veracode	Dec 17, 2024	Download
Comparison	OWASP Zap vs Checkmarx One	Dec 17, 2024	Download

Title	Rating	Mindshare	Recommending
SonarQube Server (formerly SonarQube)	4.0	28.7%	81%	113 interviews Add to research
Veracode	4.1	10.1%	90%	196 interviews Add to research

Valuable Features

OWASP Zap excels with features such as automatic and manual scanning, robust API for automation, ease of use, and multi-platform support. Its open-source nature provides cost-effective security testing. Users value its simplicity, detailed reporting, and integration with tools such as SonarQube. It offers capabilities like spidering, HUD for in-browser control, and fuzzer for custom needs. Strong community support, multi-language translations, and continuous updates enhance its effectiveness.

"OWASP Zap is a good tool, one of my favorites for a long time, and I would recommend it."
"One valuable feature of OWASP Zap is that it is simple to use."
"The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, it's very difficult."

Room for Improvement

OWASP Zap users point out that the documentation is outdated and lacks detail. They express a need for improvement in report customization and automation, reducing false positives, and expanding vulnerabilities covered. There are calls for better integration with cloud pipelines and DevOps and enhancements in SQL injection detection. UI and deployment simplicity are also suggested areas for enhancement. Users seek more regular updates, better technical support, and improved memory usage.

"For scalability, I would rate OWASP Zap between four to five out of ten."
"There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores."
"It would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results."

ROI

Users reported significant improvements in security measures, enhanced vulnerability detection, and increased overall protection.

The tool was praised for its user-friendly interface, extensive features, and effectiveness in identifying potential threats.

Users also highlighted the cost-effectiveness of OWASP Zap, as it provided robust security solutions without requiring substantial financial investments.

Pricing

OWASP Zap is widely recommended for enterprise buyers as a free and open-source security assessment tool. Offered under the Apache 2 license, it provides features comparable to many commercial solutions without associated licensing or setup costs. Users appreciate it as a cost-effective option, especially when evaluating security tools, since it does not require upfront financial commitment. While indirect resource costs may occur during deployment, its freeware nature appeals strongly to users seeking non-commercial solutions.

"It is open source, and we can scan freely."
"The tool is open source."
"The tool is open-source."

Popular Use Cases

Organizations primarily use OWASP Zap for web application security testing, focusing on identifying vulnerabilities through manual and automated scans. Common applications include penetration testing, vulnerability assessments, and ensuring application security pre-deployment. Many utilize the tool for spidering websites, scanning pipelines, and generating reports for analysis and auditing. Users integrate OWASP Zap into development cycles and DevOps pipelines to find and address security issues, safeguarding applications before taking them live.

Service and Support

Customer service and support for OWASP Zap show mixed experiences. Community and documentation support appear well-regarded, with users frequently resolving issues via forums. Some praise maintainers for exceptional support beyond expectations, though many rely on forums rather than direct technical assistance. A few rate support as excellent when engaged but note delayed response or absence of traditional channels. OWASP Zap benefits from strong community involvement, though conventional technical support might not be prevalent.

Deployment

Users describe the initial setup of OWASP Zap as generally easy and straightforward, particularly praising its quick deployment. It's noted that setup is manageable for technical users due to good documentation. While some find it very simple, others mention complexities, especially when integrating with specific environments. Using API presents slight difficulty, but many find installation on platforms like Linux embedded and automated. Whether on-premise or cloud, setup typically requires only minimal time and personnel.

Scalability

OWASP Zap exhibits varied scalability experiences. Some find it scalable, citing extensions and API capabilities, while others encounter limitations, calling it only somewhat scalable. Users use it simultaneously for different targets, with flexibility noted. Challenges with scaling are occasionally faced, though others mention good scaling with resources. Different teams leverage Zap for scanning vulnerabilities, and adapting to customer needs, with usage potential planned for increase. Ratings for scalability range, highlighting diverse user experiences.

Stability

OWASP Zap is generally stable, with minimal issues reported. Most users find it reliable, though some experience lag when handling large data volumes or numerous requests. Performance can be a bit slow in virtual environments like Kali Linux or when dealing with substantial payloads. Organizations mention occasional false positives and some configurations needed to optimize performance. However, most agree it's a dependable tool with high stability ratings, often cited as eight or nine out of ten.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our OWASP Zap Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Computer Software Company

19%

Financial Services Firm

12%

Manufacturing Company

Government

University

Educational Organization

Healthcare Company

Retailer

Comms Service Provider

Insurance Company

Media Company

Real Estate/Law Firm

Construction Company

Non Profit

Energy/Utilities Company

Legal Firm

Outsourcing Company

Hospitality Company

Wholesaler/Distributor

Logistics Company

Transportation Company

Performing Arts

Recreational Facilities/Services Company

Pharma/Biotech Company

Consumer Goods Company

Compare OWASP Zap with alternative products

Learn more about OWASP Zap

The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues.

With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.

Product Video

OWASP Zap customers

1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS