We use the product to ensure that our source code is safe enough and has no vulnerabilities before delivering a new release for our AML product. We also used the product for dynamic testing to test applications as a black box.
Head Of Development at VALOORES
An easy-to-install product that discovers more vulnerabilities than any other tool in the market
Pros and Cons
- "The product discovers more vulnerabilities compared to other tools."
- "The product should allow users to customize the report based on their needs."
What is our primary use case?
What is most valuable?
The report design is very useful. The explanation is very clear. It also provides additional solutions and plugins. The product discovers more vulnerabilities compared to other tools. It might have additional plugins and features for testing.
What needs improvement?
The product should allow users to customize the report based on their needs. For example, suppose the user needs to test only the vulnerability of SQL injection and not any other category or vulnerabilities. In that case, it's better to provide end users with a way to choose the subject they want to audit and the severity of the vulnerability.
If I need to figure out only the critical or the high severity, I shouldn’t have to figure out the low severity vulnerabilities or the smell codes. These services could be helpful for the end user and save time whenever we need to generate a new report. The execution time is a little bit exaggerated. This process can optimize the report’s performance.
For how long have I used the solution?
I have been using the solution for two to three months.
Buyer's Guide
OWASP Zap
November 2024
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,406 professionals have used our research since 2012.
What do I think about the stability of the solution?
The solution is very stable. I rate the solution’s stability a nine out of ten.
What do I think about the scalability of the solution?
Two resources from our security team work on generating and implementing reports. However, many other developers use the product to fix vulnerabilities and penetrate or audit the whole source code for products. The owner of the product and the developers are involved in the correction and the long-term plan to cover or close the vulnerability.
How was the initial setup?
I rate the ease of setup an eight out of ten.
What about the implementation team?
The installation is quick. It can be done in a couple of hours.
What's my experience with pricing, setup cost, and licensing?
The solution’s pricing is high. I rate the pricing a nine or ten out of ten. There is an indirect cost on the resources and specs needed to deploy or implement the product. When we run the report, it consumes a lot of du from the servers.
What other advice do I have?
We use SonarQube for penetration testing. We are most likely to have hybrid solutions. However, the deployment model depends on our clients, the data, and the type of product we will deploy. I didn't use automatic scalability for our deliveries and deployment.
The solution is worth using. We've used many tools and discovered that OWASP detects multiple high vulnerabilities, which the other tools do not detect. Overall, I rate the product an eight out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer:
Security Officer at UnDisclosed
Stable dynamic testing solution with unreliable manual processes
Pros and Cons
- "Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high."
- "The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time."
What is our primary use case?
OWASP Zap is used for dynamic testing. So when any kind of application, like, a web application, needs to be tested for its security and vulnerabilities. It is also used to crawl the site and then to enumerate all the input or the possible exploitation points, and then we try to exploit any blockings within OWASP Zap.
How has it helped my organization?
It improved our company's functioning because it integrates and can automate most of our workflow, so it helps. Based on its automation abilities, I rate it a seven out of ten. But there are many things that I have to do manually for safety and better clarification.
What is most valuable?
I think the automation feature is the one I used the most in the tool. For the crawling and enumeration one and the feature, we can manipulate the insides of the response. So, we can manipulate web responses and use them to test a certain website's security.
What needs improvement?
Since it is a community-based tool, I am unsure if OWASP Zap is quite up to date with recent weaknesses currently exploitable in work. So, sometimes we have to add to do it manually. How to differentiate between the false positive and the true findings need improvement. In general, the shortcomings in the accuracy of the findings need to be improved.
The automation process can help us perform website attacks using the latest exploit techniques and procedures, often used in reverse scenarios. Although other commercial solutions have this feature, I hope OWASP Zap can catch up and offer similar capabilities.
For how long have I used the solution?
I have been using the solution for four or five years. We got the information from the community that it is open-source software, so we are using it as part of the community. We are using the open-source version. It is not difficult to upgrade to the latest version.
What do I think about the stability of the solution?
Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high. I never found the applications crashing.
What do I think about the scalability of the solution?
Scalability-wise, I rate the solution a five out of ten.
The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time. Five users who are IT security engineers in my company use the tool. I plan to increase the usage of the tool in the future.
How are customer service and support?
Since it's a community-based tool, I rate the solution's technical support as less than five. It's community support. We do not have technical support, so we have to manually read the documentation and check the community forums.
How would you rate customer service and support?
Neutral
How was the initial setup?
I rate the initial setup a ten out of ten since it is easy. The server is easily deployed because it's an open-source and free solution. I think it's very easy to install on every computer authorized to use it.
Which other solutions did I evaluate?
I am still currently using Burp Suite, which is free.
What other advice do I have?
I can recommend others to use the solution for a quick and easy introduction to dynamic testing. But for the more advanced solution and for users like myself who understand the application suite itself for others and any organization to use the commercial solution as a proxy. I rate the overall solution a seven out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
OWASP Zap
November 2024
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,406 professionals have used our research since 2012.
President & Owner at Aydayev's Investment Business Group
Provides visibility of queries, but security and the ability to search the internet for other use cases could be better
Pros and Cons
- "The solution is scalable."
- "The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."
What is our primary use case?
The solution has certain models. It allows the creation of a pipeline in respect of the interface or of certain content. It enables one to check that the security is as it should be.
What is most valuable?
The solution enables a person to add the certificate and check the queries, to see if there are any that are undefined. This way, a person can have a list of the types of queries and can trace them.
What needs improvement?
The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed.
For how long have I used the solution?
We have been using OWASP Zap for more than four years.
What do I think about the stability of the solution?
The computers perform somewhat slowly when loading a large number of queries into memory. As such, I don't know if it will be possible to use cache on the disk, which would greatly increase performance.
What do I think about the scalability of the solution?
The solution is scalable. It can be run simultaneously for different targets.
How are customer service and technical support?
I have not had experience with using technical support. I make use of a public community on the public website.
How was the initial setup?
The initial setup is a bit complex, not straightforward. It could be made easy if, lets say, a project can be defined for a certain task through the project's creation. This may simplify its use.
Which other solutions did I evaluate?
Zap is a very good startup. There is an alternate solution that is a bit more expensive and requires more technical knowledge than OWASP Zap, although both have a model based configuration. The interface allows one to run predefined templates, something OWASP Zap has in common with the other solution. The automation capabilities are similar, as well.
What other advice do I have?
I used the source code design for the deployment.
I have not had experience with the code crawler, OSWAP Zap code analysis. The solution I was using is run by a search engine. My clients utilize OWASP Zap AST. They do not make use of the code crawler.
I rate OWASP Zap as a six out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd
Inexpensive licensing, free to use, and has good community support
Pros and Cons
- "The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool."
- "There's very little documentation that comes with OWASP Zap."
What is our primary use case?
I focus on software application security. In most of the scenarios that we come across, the customers want complete assurance on security of their platforms/products/applications. Clients reach out to us for our abilities to unearth security issues.
I get to use these tools to assess products/platforms before they go live to the market.
How has it helped my organization?
We recently ran into an issue where we had to test the OAuth token validation, where the REST API calls had OAuth token change every time a request was being sent. Somebody from the support community had contributed a sample code to accomplish this. In terms of the community support that is available, OWASP Zap has great set of features to use.
What is most valuable?
The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool and at the same time give a comprehensive report with great confidence to the client for helping them in their go-live decision. In terms of technical supremacy, I would put PortSwigger's Burp Suite ahead in terms of the ease with which I can retry the request with different combinations or conduct different attacks.
What needs improvement?
OWASP Zap has the award for best token authentication. A lot of applications are getting into this space where there are token barriers. Moreover ZAP Proxy security scans are excellent providing a comprehensive coverage.
One area where the tool can be improved is specifically, if there's some more intelligence that can be added on to the reporting feature, it would be great.
There's some element of intelligence that can be built into it as to how reports can be generated. Currently, there are only a few ways, i.e. a couple of templates with which you can generate these reports. If there are additional templates that could be put in place, the reports would come out very well, and we'd be able to edit it along reading the report.
That could be good for us to make it through. Because that is an area that we've seen typically, where it's common in the other tools. We run the test. We run the scans. We do the vulnerability assessment, analyze their impacts and then we generate the report.
There's the element of documentation that we need to create along with that. If there is a provision to enter inputs like below as part of report generation:
- Project information
- Client name
- Organization name
- Platform against which this test has been done
If these small inputs can be handled, at the end of the report, I would have a customized report which I could easily give across to the customer.
Today it's this is something not easily available in not at that level in the tool. In the reporting presentation format, Acunetix tool has a much better "look and feel" appearance. The clients love it when we do it in that.
For how long have I used the solution?
We have been using OWASP Zap for more than eight months.
What do I think about the stability of the solution?
The only place that I faced issues with the OWASP was testing for a large broadcasting company. The number of requests that come forward is quite large. When the requests are quite huge, we found that ZAP Proxy tool tends to be a little more slow to respond. We're not sure whether it's progressing at the background or whether the application is frozen. We have faced the encounter when we are sending in large payloads, i.e. the multiple requests pull through defensive issues there.Other than that we have not seen significant issue with the tool.
What do I think about the scalability of the solution?
Currently, we have three of us who have been using the OWASP Zap proxy tool. There are times when we even propose this ZAP proxy tool to customers. Sometimes, we get requests from clients who want us to use a specific solution like Acunetix, BurpSuite.
For the choice of which tool to use in the long run, the decision is driven by the customers. When customers ask us for a tool recommendation, we do a security tool comparison analysis, and make a recommendation that best suits them, explaining the pros and cons of each tools. i.e when you use a solution like OWASP Zap versus going on with a tool like Burp Suite or Acunetix.
How are customer service and technical support?
For OWASP, I've been only looking at their community, but I felt that PortSwigger has much better tech support. In terms of community support, OWASP Zap is very much there.
For example, we expected PortSwigger to have OAuth token to be available by default, but that was not on their product road map. Fortunately for us, we had somebody from the community who had created several extensions which were a great help to us.
In terms of product support, I would say, Port Swigger support has been very good.
How was the initial setup?
The initial setup of OWASP Zap was straightforward. That's not an issue at all with OWASP.
What's my experience with pricing, setup cost, and licensing?
As far as pricing concerns, for value in the commercial solutions when it comes to security testing tools, it is Burp Suite. Some Burp Suite licenses are available for $300 over a 1-year term, which is pocket-friendly for us. We feel that PortSwigger Burp Suite is the best value for the money that we get. When it comes to clients looking for non-commerical licenses, OWASP Zap tool is the best fit.
What other advice do I have?
When people are trying to make use of OWASP Zap, I would advise first read through and understand the OWASP vulnerabilities very well. Then start looking at features, tutorials of the OWASP ZAP Proxy that are made available online.
There are a lot of YouTube videos, articles in the internet that talk about how to use the tools. These are quite easy to understand. Do a small POC. Pick an application which is already having vulnerabilities and assess the application around with the ZAP Proxy tool.
In terms of ZAP Proxy tool ease of use, I would rate it nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Consultant with 1,001-5,000 employees
A cost-effective and dynamic application security testing tool, but the product reporting could be better
Pros and Cons
- "The most valuable feature is scanning the URL to drill down all the different sites."
- "The product reporting could be improved."
What is our primary use case?
Our primary use case for this solution is for reviewing applications developed in-house to test for known vulnerabilities, and we deploy this product on-premises. Additionally, we use the solution to review some applications that were developed in-house and test for any general or known vulnerabilities before moving them to the production environment.
How has it helped my organization?
The product has improved our application security engagement. It helps with our in-house review and sometimes, we don't need an external third-party tester to review it. Once we get it from OWASP Zap, we have an idea of the inherent vulnerabilities in the application. This is a plus to save cost and improve our application accuracy practice.
What is most valuable?
The most valuable feature is scanning the URL to drill down all the different sites and features embedded within the URL, like the crawler and the Spy Dream.
What needs improvement?
The product reporting could be improved. It could be changed to authorize reporting to be viewed from different perspectives to get additional regulatory requirements.
For how long have I used the solution?
We have been using this solution for approximately six years and are currently using the latest version.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
We have not explored the scalability of the system yet. We only have two users currently using it.
How are customer service and support?
We have not reached out to the technical team for support.
Which solution did I use previously and why did I switch?
We previously used Net Packer.
How was the initial setup?
The initial setup is straightforward.
What about the implementation team?
Implementation was done in-house.
What was our ROI?
We see a return on investment with this solution.
What's my experience with pricing, setup cost, and licensing?
I cannot comment on licensing costs, as a different department handles it.
Which other solutions did I evaluate?
We did not evaluate other options before choosing this solution.
What other advice do I have?
I rate this solution a seven out of ten. The product is good, but the reporting process could be improved. I recommend this solution to people looking for a quick DAST application and a dynamic application security testing tool. Additionally, the solution is cost-effective.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Engineer at Eon Health
Has a good application scanning feature but reporting needs improvement
Pros and Cons
- "The application scanning feature is the most valuable feature."
- "The reporting feature could be more descriptive."
What is our primary use case?
We use it for our security scanning for our applications.
What is most valuable?
The application scanning feature is the most valuable feature.
What needs improvement?
The reporting feature could be more descriptive.
For how long have I used the solution?
I have been using OWASP Zap for four years.
What do I think about the stability of the solution?
It is a stable solution.
What do I think about the scalability of the solution?
Presently seven people use this solution. It is scalable.
How was the initial setup?
The initial setup is straightforward.
What's my experience with pricing, setup cost, and licensing?
It's open source.
What other advice do I have?
Overall, i would rate the solution a seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Software Quality Assurance Engineer at Netow Solutions Ltd
An open-source solution that helps with application testing
Pros and Cons
- "We use the solution for security testing."
- "OWASP Zap needs to extend to mobile application testing."
What is our primary use case?
We use the solution for security testing.
What needs improvement?
OWASP Zap needs to extend to mobile application testing.
What do I think about the stability of the solution?
OWASP Zap is stable.
What's my experience with pricing, setup cost, and licensing?
The tool is open-source.
What other advice do I have?
I rate the solution an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Manager, Quality Assurance at Managed Markets Insight & Technology, LLC
It's easy to use and the automated scan is powerful, but the cloud integration could be improved
Pros and Cons
- "ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube."
- "ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline."
What is our primary use case?
We use ZAP for penetration testing.
What is most valuable?
ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube.
What needs improvement?
ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline.
For how long have I used the solution?
We have used ZAP for more than six months.
What do I think about the stability of the solution?
ZAP is stable.
How are customer service and support?
I rate ZAP support seven out of 10. It's good.
How would you rate customer service and support?
Neutral
How was the initial setup?
Deploying ZAP is straightforward. It took me and one other person three or four days to install and configure ZAP.
What's my experience with pricing, setup cost, and licensing?
We use the community version.
Which other solutions did I evaluate?
We did a POC for a tool by NetSuite, but that was a paid tool.
What other advice do I have?
I rate OWASP ZAP seven out of 10. It's an excellent penetration testing tool for developers. That scanning part is solid, but the integration with AWS and Azure pipelines could be better.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free OWASP Zap Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Static Application Security Testing (SAST)Popular Comparisons
SonarQube Server (formerly SonarQube)
Veracode
GitLab
Checkmarx One
Coverity
SonarQube Cloud (formerly SonarCloud)
Fortify on Demand
Acunetix
PortSwigger Burp Suite Professional
HCL AppScan
Qualys Web Application Scanning
Invicti
Kiuwan
Rapid7 AppSpider
Contrast Security Assess
Buyer's Guide
Download our free OWASP Zap Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is OWASP Zap better than PortSwigger Burp Suite Pro?
- What is the biggest difference between OWASP Zap and PortSwigger Burp?
- What is the biggest difference between OWASP Zap and Qualys?
- What Application Security Solution Do You Use That Is DevOps Friendly?
- Which is the most comprehensive open source Web Security Testing tool?
- What is the best Application Security Testing platform?
- When evaluating Application Security Testing, what aspect do you think is the most important to look for?
- SAST vs. DAST: Which is better for application security testing?
- What tools do you rely on for building a DevSecOps pipeline?
- What does the Log4j/Log4Shell vulnerability mean for your company?