We compared Veracode and OWASP Zap across several parameters based on our user's reviews. After reading the collected data, you can find our conclusion below:
Based on the user reviews, Veracode is the preferred product over OWASP Zap. However, if you have a limited budget and technical expertise for setup and customization, go for OWASP ZAP. If you prioritize ease of use, a cloud-based solution, and you require a broader range of security functionalities beyond just vulnerability scanning, choose Veracode.
"The ZAP scan and code crawler are valuable features."
"The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, it's very difficult."
"The interface is easy to use."
"The application scanning feature is the most valuable feature."
"You can run it against multiple targets."
"This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we have something really big, we might get some professional company in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes it easier and safer."
"The product helps users to scan and fix vulnerabilities in the pipeline."
"The API is exceptional."
"The capability to identify vulnerable code is the most valuable feature of Veracode."
"It has the ability to statically scan your source code before it goes to production. It can be scanned within your testing or development environment, and that is very useful. And good explanations of all the vulnerabilities in your source code help take care of those issues in future code implementation as well."
"The article scanning is excellent."
"With the pipeline scanner, it's easier for developers to scan their products, as they don't have to export anything from their computers. They can do everything with the command line on their computer."
"Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution."
"Code scanning is the most valuable feature."
"Veracode's most valuable aspect is continuous integration. It helps us integrate with other applications so that it can monitor the security process."
"There have been a lot of benefits gained from Veracode. Compared to other tools, Veracode has good flexibility with an easy way to run a scan. We get in-depth details on how to fix things and go through the process. They provide good process documents, community, and consultation for any issues that occur during the use of Veracode."
"I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word list, or manually created."
"The forced browse has been incorporated into the program and it is resource-intensive."
"The product reporting could be improved."
"The reporting feature could be more descriptive."
"As security evolves, we would like DevOps built into it. As of now, Zap does not provide this."
"I prefer Burp Suite to SWASP Zap because of the extensive coverage it offers."
"Reporting format has no output, is cluttered and very long."
"There isn't too much information about it online."
"The runtime code analysis could be improved so that we can see every element in one place."
"Veracode is costly, and there is potential for improvement in its pricing."
"While Veracode is way ahead of its competitors on Gartner Magic Quadrant, it's a bit more expensive than Fortify. It's a good solution for the cost, but if we had a high budget, we would go with Checkmarx, which is much better than Veracode."
"The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it."
"Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated."
"The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but it sometimes causes more work on our end."
"Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access."
"The area with the most room for improvement is the speed and responsiveness of the query, as it is usually very slow."
OWASP Zap is ranked 8th in Static Application Security Testing (SAST) with 37 reviews while Veracode is ranked 2nd in Static Application Security Testing (SAST) with 194 reviews. OWASP Zap is rated 7.6, while Veracode is rated 8.2. The top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". OWASP Zap is most compared with SonarQube, Acunetix, Qualys Web Application Scanning, PortSwigger Burp Suite Professional and Checkmarx One, whereas Veracode is most compared with SonarQube, Checkmarx One, Fortify on Demand, Snyk and SonarCloud. See our OWASP Zap vs. Veracode report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.