Try our new research platform with insights from 80,000+ expert users

Fortify WebInspect vs OWASP Zap comparison

 

Comparison Buyer's Guide

Executive Summary

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Fortify WebInspect
Average Rating
7.2
Reviews Sentiment
6.8
Number of Reviews
20
Ranking in other categories
Dynamic Application Security Testing (DAST) (2nd), DevSecOps (7th)
OWASP Zap
Average Rating
7.6
Reviews Sentiment
7.5
Number of Reviews
39
Ranking in other categories
Static Application Security Testing (SAST) (11th)
 

Mindshare comparison

While both are Quality Assurance solutions, they serve different purposes. Fortify WebInspect is designed for Dynamic Application Security Testing (DAST) and holds a mindshare of 23.9%, down 32.6% compared to last year.
OWASP Zap, on the other hand, focuses on Static Application Security Testing (SAST), holds 5.1% mindshare, down 5.8% since last year.
Dynamic Application Security Testing (DAST)
Static Application Security Testing (SAST)
 

Featured Reviews

Navin N - PeerSpot reviewer
Effective scanning of diverse file extensions with fast reporting and issue resolution
We develop software packages for clients, and these clients are mostly in the BFSI sector. The packages need to be scanned, and we engage Fortify WebInspect for this.  Customers typically perform their own application pen tests, but in some cases, we have engagements where customers want us to scan…
Amit Beniwal - PeerSpot reviewer
Simplifies vulnerability discovery and has high quality support
There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores. Sometimes, a vulnerability initially categorized as high severity may be reduced to medium or low over time after security patches are applied. This alignment with the present severity score and CVSS score could be improved.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The solution is easy to use."
"The feature that has been most influential in identifying vulnerabilities is its ability to crawl the website, understand the structure, and analyze the network packets sent and received."
"I've found the centralized dashboard the most valuable. For the management, it helps a lot to have abilities at the central level."
"The solution is able to detect a wide range of vulnerabilities. It's better at it than other products."
"Guided Scan option allows us to easily scan and share reports."
"Technical support has been good."
"The accuracy of its scans is great."
"It is scalable and very easy to use."
"The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool."
"Simple to use, good user interface."
"The application scanning feature is the most valuable feature."
"You can run it against multiple targets."
"OWASP is quite matured in identifying the vulnerabilities."
"It can be used effectively for internal auditing."
"OWASP Zap is a good tool, one of my favorites for a long time, and I would recommend it."
"They offer free access to some other tools."
 

Cons

"Fortify WebInspect could improve user-friendliness. Additionally, it is very bulky to use."
"We have often encountered scanning errors."
"The scanner could be better."
"Creating reports is very slow and it is something that should be improved."
"I would like WebInspect's scanning capability to be quicker."
"It took us between eight and ten hours to scan an entire site, which is somewhat slow and something that I think can be improved."
"There are some file extensions, like .SER, that Fortify WebInspect doesn't scan."
"Not sufficiently compatible with some of our systems."
"OWASP should work on reducing false positives by using AI and ML algorithms. They should expand their capabilities for broader coverage of business logic flaws and complex issues."
"There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores."
"I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word ​list, or manually created."
"There are too many false positives."
"The documentation is lacking and out-of-date, it really needs more love."
"Lacks resources where users can internally access a learning module from the tool."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline."
 

Pricing and Cost Advice

"Fortify WebInspect is a very expensive product."
"Our licensing is such that you can only run one scan at a time, which is inconvenient."
"The pricing is not clear and while it is not high, it is difficult to understand."
"Its price is almost similar to the price of AppScan. Both of them are very costly. Its price could be reduced because it can be very costly for unlimited IT scans, etc. I'm not sure, but it can go up to $40,000 to $50,000 or more than that."
"The price is okay."
"This solution is very expensive."
"It’s a fair price for the solution."
"As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out."
"It's free and open, currently under the Apache 2 license. If ZAP does what you need it to do, selling a free solution is a very easy."
"The tool is open-source."
"It is open source, and we can scan freely."
"The tool is open source."
"This is an open-source solution and can be used free of charge."
"The solution’s pricing is high."
"It's free. It's good for us because we don't know what the extent of our use will be yet. It's good to start with something free and easy to use."
report
Use our free recommendation engine to learn which Dynamic Application Security Testing (DAST) solutions are best for your needs.
845,040 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
18%
Computer Software Company
15%
Government
14%
Manufacturing Company
11%
Computer Software Company
18%
Financial Services Firm
12%
Manufacturing Company
8%
Government
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What do you like most about Fortify WebInspect?
The solution's technical support was very helpful.
What is your experience regarding pricing and costs for Fortify WebInspect?
Fortify WebInspect can be a bit expensive. However, considering its stability and reliability in meeting current standards, the cost is justified. Still, making the cost more affordable for multipl...
What needs improvement with Fortify WebInspect?
I would like WebInspect's scanning capability to be quicker. Specifically, being able to scan a particular flow or part of an application more rapidly would be beneficial. Additionally, the cost of...
Is OWASP Zap better than PortSwigger Burp Suite Pro?
OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available with basic security vulnerabilities while Burp Suite Pro has it available with ...
What do you like most about OWASP Zap?
The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, i...
What is your experience regarding pricing and costs for OWASP Zap?
OWASP might be cost-effective, however, people prefer to use the free edition available as open source.
 

Also Known As

Micro Focus WebInspect, WebInspect
No data available
 

Overview

 

Sample Customers

Aaron's
1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS
Find out what your peers are saying about Fortify WebInspect vs. OWASP Zap and other solutions. Updated: May 2022.
845,040 professionals have used our research since 2012.