Try our new research platform with insights from 80,000+ expert users

OWASP Zap pros and cons

Vendor: OWASP

3.8 out of 5

38 reviews
87% willing to recommend

844 followers

Pros & Cons summary

OWASP Zap offers exceptional API capabilities and enhances application security through efficient vulnerability handling. It supports rapid updates, scalability, and integration with other tools, along with automation features to improve testing and deployment. Despite its strengths, documentation is outdated, and limited reporting tools can hinder understanding. Users often face slow scanning tools and numerous false positives, necessitating manual checks, affecting time efficiency and the thoroughness of deeper analysis.

Buyer's Guide

Get pricing advice, tips, use cases and valuable features from real users of this product.

Prominent pros & cons

PROS

OWASP Zap is simple and easy to learn, with a powerful automated scan feature that allows for effective security testing.

The HUD feature provides on-site testing, saving time and allowing users to navigate websites as usual during scans.

The API is exceptional, offering flexibility and making it easier to address custom security needs.

OWASP Zap's scalability and stability ensure a reliable tool for ongoing web application security testing.

It offers high-value features such as fuzzer and code crawler, and integrates well with other tools like SonarQube and Portswigger Burp.

CONS

Online documentation and support for OWASP Zap needs significant improvement as it is currently outdated and lacking.

OWASP Zap struggles with false positives, requiring manual verification of findings, which is time-consuming.

OWASP Zap's reporting features need enhancement to provide more clarity and customization based on user needs.

The integration of OWASP Zap with cloud-based CICD pipelines could be more seamless to ensure comprehensive scanning throughout.

OWASP Zap lacks the capability for detailed mobile application testing, limiting its utility in evolving security environments.

OWASP Zap Pros review quotes

VN

Vijayanathan Naganathan

Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd

Jun 21, 2019

The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool.

Read full review

BS

Balaji Senthiappan

Assistant Vice President at Hexaware Technologies Limited

Nov 12, 2020

The solution is good at reporting the vulnerabilities of the application.

Read full review

PN

Researcher in Cyber Security at Sekolah Tinggi Ilmu Statistik BPS

Mar 11, 2024

The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, it's very difficult.

Read full review

Free Report: OWASP Zap Reviews and More

Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.

824,053 professionals have used our research since 2012.

Works at a retailer with 1,001-5,000 employees

Aug 16, 2017

The vulnerabilities that it finds, because the primary goal is to secure applications and websites.

Read full review

AG

CEO at Virtual Security International

Aug 13, 2021

It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).

Read full review

VF

Consultant at Harald A. Møller AS

Feb 8, 2019

This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we have something really big, we might get some professional company in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes it easier and safer.

Read full review

YK

Yudhistiro Kusumonegoro

Security Officer at UnDisclosed

May 4, 2023

Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high.

Read full review

PS

Technical Specialist(DevOps) at a tech services company with 1,001-5,000 employees

Apr 6, 2021

Automatic scanning is a valuable feature and very easy to use.

Read full review

Associate at Tata Consultancy

Apr 25, 2022

Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope.

Read full review

Program Manager at a manufacturing company with 1,001-5,000 employees

Apr 22, 2018

It scans while you navigate, then you can save the requests performed and work with them later.

Read full review

Show 10 more reviews (out of 37)

OWASP Zap Cons review quotes

VN

Vijayanathan Naganathan

Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd

Jun 21, 2019

There's very little documentation that comes with OWASP Zap.

Read full review

BS

Balaji Senthiappan

Assistant Vice President at Hexaware Technologies Limited

Nov 12, 2020

It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful.

Read full review

PN

Researcher in Cyber Security at Sekolah Tinggi Ilmu Statistik BPS

Mar 11, 2024

It would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results.

Read full review

Free Report: OWASP Zap Reviews and More

Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.

824,053 professionals have used our research since 2012.

Works at a retailer with 1,001-5,000 employees

Aug 16, 2017

It doesn't run on absolutely every operating system.

Read full review

AG

CEO at Virtual Security International

Aug 13, 2021

The forced browse has been incorporated into the program and it is resource-intensive.

Read full review

VF

Consultant at Harald A. Møller AS

Feb 8, 2019

If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning.

Read full review

YK

Yudhistiro Kusumonegoro

Security Officer at UnDisclosed

May 4, 2023

The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time.

Read full review

PS

Technical Specialist(DevOps) at a tech services company with 1,001-5,000 employees

Apr 6, 2021

Reporting format has no output, is cluttered and very long.

Read full review

Associate at Tata Consultancy

Apr 25, 2022

The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more.

Read full review

Program Manager at a manufacturing company with 1,001-5,000 employees

Apr 22, 2018

I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word list, or manually created.

Read full review

Show 10 more reviews (out of 38)

Product Categories

Product Categories

Static Application Security Testing (SAST)

Popular Comparisons

Popular Comparisons

SonarQube Server (formerly SonarQube) vs OWASP Zap

Veracode vs OWASP Zap

GitLab vs OWASP Zap

Checkmarx One vs OWASP Zap

Coverity vs OWASP Zap

SonarQube Cloud (formerly SonarCloud) vs OWASP Zap

Fortify on Demand vs OWASP Zap

Acunetix vs OWASP Zap

PortSwigger Burp Suite Professional vs OWASP Zap

HCL AppScan vs OWASP Zap

Qualys Web Application Scanning vs OWASP Zap

Invicti vs OWASP Zap

Kiuwan vs OWASP Zap

Rapid7 AppSpider vs OWASP Zap

Contrast Security Assess vs OWASP Zap

See all alternatives

Product Categories

Product Categories

Static Application Security Testing (SAST)

Popular Comparisons

Popular Comparisons

SonarQube Server (formerly SonarQube) vs OWASP Zap

Veracode vs OWASP Zap

GitLab vs OWASP Zap

Checkmarx One vs OWASP Zap

Coverity vs OWASP Zap

SonarQube Cloud (formerly SonarCloud) vs OWASP Zap

Fortify on Demand vs OWASP Zap

Acunetix vs OWASP Zap

PortSwigger Burp Suite Professional vs OWASP Zap

HCL AppScan vs OWASP Zap

Qualys Web Application Scanning vs OWASP Zap

Invicti vs OWASP Zap

Kiuwan vs OWASP Zap

Rapid7 AppSpider vs OWASP Zap

Contrast Security Assess vs OWASP Zap

See all alternatives

Related questions

2,905

Is OWASP Zap better than PortSwigger Burp Suite Pro?

48

What is the biggest difference between OWASP Zap and PortSwigger Burp?

47

What is the biggest difference between OWASP Zap and Qualys?

19

What Application Security Solution Do You Use That Is DevOps Friendly?

100

Which is the most comprehensive open source Web Security Testing tool?

250

What is the best Application Security Testing platform?

6

When evaluating Application Security Testing, what aspect do you think is the most important to look for?

114

SAST vs. DAST: Which is better for application security testing?

136

What tools do you rely on for building a DevSecOps pipeline?

35

What does the Log4j/Log4Shell vulnerability mean for your company?