OWASP Zap Reviews

Currently, we build our products for the banking industry and use this solution in that process.

From a development cycle, we update the SQL injections that basically shows what a developer may have to address. Then, if there is still a problem, we're concerned at the architect level. That's at least initially reported by the customers when they do another round of review after we deliver our code. 

The solution is good at reporting the vulnerabilities of the application. 

It can help us with security, SQL injection vulnerability, known vulnerabilities, et cetera. Any kind of a threat that we get in the development cycle, is what we will look for. This solution helps us find them.

I can't recall any features that are lacking. In my role as a service provider, I only go up to standards defined by somebody else. So far, this solution has met their standards.

So far I've not come across a scenario where we had to do anything that's a major rework due to the fact that we didn't catch something soon enough in the queries that we are using.

It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful.

Right now, I can't give it off to a team and expect them to give me a report that I'm happy with. I will give it to a team and they will have to have another person sit with them to make sure they have configured it right. Some kind of pre-designed templates, pre-designed guidelines, or patterns to compliment the tool would go a long way in helping us use the solution.

I've been using the solution for five or six years at this point.

From the perspective of the development cycle that we use, we find it stable enough. I don't use it in production or I don't have to update sites running all the time. Once a week when I will build a VM pack, I push into another environment, and that's probably the time I would make it. For me, I find it to be stable enough.

I haven't really used technical support. Therefore, I can't really speak to their level of responsiveness or knowledgeability.

I'm not a security specialist, however, to be clear, we provide services. On a development project, we frequently run into various solutions. It's not just OWASP. It could be Veracode, for example, or multiple other tools. 

The initial setup is not necessarily straightforward. Most are complex. You need a senior person to specialize, understand the set up in which they are running, and understand the tools they are going to use. You need to ask: do they know what to look for and support? I wouldn't say it's complex to use. That said, normally the resources are costly.

In security, you'd expect the product is priced at a premium, so people don't check the pricing for the most part. In my case, I don't buy the product myself. I have the customers buy it for me. I'm not very worried about the price as a consultant.

We are an IT service provider, which means that we use a variety of tools based on what our customer preferences are. 

There's all, at most, I would say, about 20 companies that we would have the funds to use the solution with. OWASP is definitely in the top three as a tool that we would probably recommend to our team, as a frequent users' tool, however, I don't believe we have any kind of a formal relationship with the company. 

Multiple teams use it. I have not heard of anybody complaining about anything to do with this particular solution. I would say it's pretty good. I would give it a rating of eight out of ten.

We use the solution for scanning pipelines.

It is a good solution. We get good feedback about the product from our clients. The product helps users to scan and fix vulnerabilities in the pipeline.

The technical support team must be proactive. The team must advise users about the available features, how to find them, and how to use them better.

We have been using the solution for a customer for six to eight months.

We have not experienced any challenges in the tool's maintenance, availability, and stability.

The scalability could be better. I rate the tool’s scalability a seven out of ten. Our customers are medium-sized businesses.

The technical support is very good. We had some issues during installation. We reached out to the support team and got it clarified immediately. We have reached out to the support team only once. If we continue getting good support from the team, I might rate support a nine or ten out of ten in the future. For now, I rate it an eight out of ten.

Positive

The installation and integration are easy. It's not challenging. The implementation was done in different phases. Our customers took a few days to install the solution. They needed two engineers to install it. We do not have any problem in maintaining the tool. It is deployed on the cloud.

I would recommend the solution to my clients since it is a proven product. We have no issues with stability, scalability, and technical support. Overall, I rate the product an eight out of ten.

OWASP Zap is used for dynamic testing. So when any kind of application, like, a web application, needs to be tested for its security and vulnerabilities. It is also used to crawl the site and then to enumerate all the input or the possible exploitation points, and then we try to exploit any blockings within OWASP Zap.

It improved our company's functioning because it integrates and can automate most of our workflow, so it helps. Based on its automation abilities, I rate it a seven out of ten. But there are many things that I have to do manually for safety and better clarification.

I think the automation feature is the one I used the most in the tool. For the crawling and enumeration one and the feature, we can manipulate the insides of the response. So, we can manipulate web responses and use them to test a certain website's security.

Since it is a community-based tool, I am unsure if OWASP Zap is quite up to date with recent weaknesses currently exploitable in work. So, sometimes we have to add to do it manually. How to differentiate between the false positive and the true findings need improvement. In general, the shortcomings in the accuracy of the findings need to be improved.

The automation process can help us perform website attacks using the latest exploit techniques and procedures, often used in reverse scenarios. Although other commercial solutions have this feature, I hope OWASP Zap can catch up and offer similar capabilities.

I have been using the solution for four or five years. We got the information from the community that it is open-source software, so we are using it as part of the community. We are using the open-source version. It is not difficult to upgrade to the latest version.

Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high. I never found the applications crashing.

Scalability-wise, I rate the solution a five out of ten.

The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time. Five users who are IT security engineers in my company use the tool. I plan to increase the usage of the tool in the future.

Since it's a community-based tool, I rate the solution's technical support as less than five. It's community support. We do not have technical support, so we have to manually read the documentation and check the community forums.

Neutral

I rate the initial setup a ten out of ten since it is easy. The server is easily deployed because it's an open-source and free solution. I think it's very easy to install on every computer authorized to use it.

I am still currently using Burp Suite, which is free.

I can recommend others to use the solution for a quick and easy introduction to dynamic testing. But for the more advanced solution and for users like myself who understand the application suite itself for others and any organization to use the commercial solution as a proxy. I rate the overall solution a seven out of ten.

We use the product to ensure that our source code is safe enough and has no vulnerabilities before delivering a new release for our AML product. We also used the product for dynamic testing to test applications as a black box.

The report design is very useful. The explanation is very clear. It also provides additional solutions and plugins. The product discovers more vulnerabilities compared to other tools. It might have additional plugins and features for testing.

The product should allow users to customize the report based on their needs. For example, suppose the user needs to test only the vulnerability of SQL injection and not any other category or vulnerabilities. In that case, it's better to provide end users with a way to choose the subject they want to audit and the severity of the vulnerability. 

If I need to figure out only the critical or the high severity, I shouldn’t have to figure out the low severity vulnerabilities or the smell codes. These services could be helpful for the end user and save time whenever we need to generate a new report. The execution time is a little bit exaggerated. This process can optimize the report’s performance.

I have been using the solution for two to three months.

The solution is very stable. I rate the solution’s stability a nine out of ten.

Two resources from our security team work on generating and implementing reports. However, many other developers use the product to fix vulnerabilities and penetrate or audit the whole source code for products. The owner of the product and the developers are involved in the correction and the long-term plan to cover or close the vulnerability.

I rate the ease of setup an eight out of ten.

The installation is quick. It can be done in a couple of hours.

The solution’s pricing is high. I rate the pricing a nine or ten out of ten. There is an indirect cost on the resources and specs needed to deploy or implement the product. When we run the report, it consumes a lot of du from the servers.

We use SonarQube for penetration testing. We are most likely to have hybrid solutions. However, the deployment model depends on our clients, the data, and the type of product we will deploy. I didn't use automatic scalability for our deliveries and deployment. 

The solution is worth using. We've used many tools and discovered that OWASP detects multiple high vulnerabilities, which the other tools do not detect. Overall, I rate the product an eight out of ten.

We use ZAP for penetration testing. 

ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube.

ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline. 

We have used ZAP for more than six months.

ZAP is stable. 

I rate ZAP support seven out of 10. It's good. 

Neutral

Deploying ZAP is straightforward. It took me and one other person three or four days to install and configure ZAP. 

We use the community version. 

We did a POC for a tool by NetSuite, but that was a paid tool. 

I rate OWASP ZAP seven out of 10. It's an excellent penetration testing tool for developers. That scanning part is solid, but the integration with AWS and Azure pipelines could be better. 

I focus on software application security. In most of the scenarios that we come across, the customers want complete assurance on security of their platforms/products/applications. Clients reach out to us for our abilities to unearth security issues.

I get to use these tools to assess products/platforms before they go live to the market.

We recently ran into an issue where we had to test the OAuth token validation, where the REST API calls had OAuth token change every time a request was being sent. Somebody from the support community had contributed a sample code to accomplish this. In terms of the community support that is available, OWASP Zap has great set of features to use.

The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool and at the same time give a comprehensive report with great confidence to the client for helping them in their go-live decision. In terms of technical supremacy, I would put PortSwigger's Burp Suite ahead in terms of the ease with which I can retry the request with different combinations or conduct different attacks.

OWASP Zap has the award for best token authentication. A lot of applications are getting into this space where there are token barriers. Moreover ZAP Proxy security scans are excellent providing a comprehensive coverage.

One area where the tool can be improved is specifically,  if there's some more intelligence that can be added on to the reporting feature, it would be great. 

There's some element of intelligence that can be built into it as to how reports can be generated. Currently, there are only a few ways, i.e. a couple of templates with which you can generate these reports. If there are additional templates that could be put in place, the reports would come out very well, and we'd be able to edit it along reading the report.

That could be good for us to make it through. Because that is an area that we've seen typically, where it's common in the other tools. We run the test. We run the scans. We do the vulnerability assessment, analyze their impacts and then we generate the report.

There's the element of documentation that we need to create along with that. If there is a provision to enter inputs like below as part of report generation:

• Project information
• Client name
• Organization name
• Platform against which this test has been done
  

If these small inputs can be handled, at the end of the report, I would have a customized report which I could easily give across to the customer.

Today it's this is something not easily available in not at that level in the tool. In the reporting presentation format, Acunetix tool has a much better "look and feel" appearance. The clients love it when we do it in that.

The only place that I faced issues with the OWASP was testing for a large broadcasting company. The number of requests that come forward is quite large. When the requests are quite huge, we found that ZAP Proxy tool tends to be a little more slow to respond. We're not sure whether it's progressing at the background or whether the application is frozen. We have faced the encounter when we are sending in large payloads, i.e. the multiple requests pull through defensive issues there.Other than that we have not seen significant issue with the tool.

Currently, we have three of us who have been using the OWASP Zap proxy tool. There are times when we even propose this ZAP proxy tool to customers. Sometimes, we get requests from clients who want us to use a specific solution like Acunetix, BurpSuite. 

For the choice of which tool to use in the long run, the decision is driven by the customers. When customers ask us for a tool recommendation, we do a security tool comparison analysis, and make a recommendation that best suits them, explaining the pros and cons of each tools. i.e when you use a solution like OWASP Zap versus going on with a tool like Burp Suite or Acunetix. 

For OWASP, I've been only looking at their community, but I felt that PortSwigger has much better tech support. In terms of community support, OWASP Zap is very much there.

For example, we expected PortSwigger to have OAuth token to be available by default, but that was not on their product road map. Fortunately for us, we had somebody from the community who had created several extensions which were a great help to us.

In terms of product support, I would say, Port Swigger support has been very good. 

The initial setup of OWASP Zap was straightforward. That's not an issue at all with OWASP.

As far as pricing concerns, for value in the commercial solutions when it comes to security testing tools, it is Burp Suite. Some Burp Suite licenses are available for $300 over a 1-year term, which is pocket-friendly for us. We feel that PortSwigger Burp Suite is the best value for the money that we get. When it comes to clients looking for non-commerical licenses, OWASP Zap tool is the best fit.

When people are trying to make use of OWASP Zap, I would advise first read through and understand the OWASP vulnerabilities very well. Then start looking at features, tutorials of the OWASP ZAP Proxy that are made available online.

There are a lot of YouTube videos, articles in the internet that talk about how to use the tools. These are quite easy to understand. Do a small POC. Pick an application which is already having vulnerabilities and assess the application around with the ZAP Proxy tool.

In terms of ZAP Proxy tool ease of use, I would rate it nine out of ten. 

It's running on my system. I use it to scan URLs and can check things if I find something. 

There's a way to set up jobs where you can get it to run all the processes against the target to avoid doing so manually. You can run it against multiple targets. 

It is easy to set up.

The solution is stable. 

I don't have any notes for improvements.

It should have more visibility. Everybody defaults to Burp. However, this is a free version that deserves more visibility.

There isn't too much information about it online. You need to self-teach in order to really learn how to use it. There isn't a lot of documentation available. 

It takes up a lot of memory and RAM. 

I've been using the solution for roughly six months. I've used it on and off. However, I really started using it constantly over the last six months. 

The solution is mostly stable. However, it requires a lot of RAM and memory. There are no bugs or glitches. 

It is not very scalable.

I'm the only security engineer. Only I use it in my company. 

I've never used technical support. I'm not sure how helpful or responsive they are. 

I used to use Portswigger Burp. This solution is free and has a lot of the paid versions Burp offers. I haven't used Burp Professional. I used the community version. I chose this solution as it is faster, at least compared to the community version. My understanding it the paid version of Burp is very fast.

The initial setup was very simple and straightforward. I didn't find any difficulty installing it on my system.

It takes about ten to 15 minutes to deploy. It depends on the machine you have. 

The solution is free to use. I don't pay any licensing fees. 

I'm an end-user. 

I'm not sure which version of the solution I'm using. 

I would rate the solution seven out of ten. While it is free to use, it does take up a lot of memory. I also find Burp easier to use than this product.

The vulnerabilities that it finds, because the primary goal is to secure applications and websites.

When I checked the CVE and MITRE databases, that gives the latest attacks that are out there for a particular software, hardware and how to protect against it.

It's possibly just a limitation of the product itself but sometimes it won't scan a particular website so you have to manually go in and make some configuration changes.

Also, it needs to have more feeds such as from the Darknet, RSS or intelligence like US-CERT, or some of those like NISTs or other standing bodies because right now it's got some CVEs in there but there's more to it than just that. So if it could tie into those, somehow, so you could do some research, like a "research tab" under tools and some one-click access to those forums and feeds.

In addition, it doesn't run on absolutely every operating system.

Five years.

As far as stability goes, perhaps if you're running it in a Kali Linux virtual machine, sometimes it doesn't close out right away so I don't know if it takes too much time to flush that RAM out. It won't crash but it will lag. On Windows, it'll just close right away.

Not at this point. Normally I just play with it on Windows but lately I've been using it on Kali.

I haven't used it. If I have a question I'll just Google it.

Also, if you go into a forum, while that's kind of like calling a human, you're really not. It's a very well developed and very mature forum with a lot of people from different organizations all over the world, so it's top notch.

I use a lot of different tools, the right tool for the job. Burp Suite, IBM Security AppScan, InMap, NIKTO, Wpscan. Depending on what you find, you might have to use better tools so OWASP Zap. I don't know if it's copyright infringement or not, given that it's open source, but it's possible they could build someone else's tools into the GUI of OWASP Zap. As the months and years go by, you'll probably see more features in there.

I'd have to say Burp Suite Pro, which is the licensed, paid-for version, is better but that's just because it's got more funding.

If you're talking about Kali, which is the Linux Pentesting operating system, it comes built in. The only thing you have to do is update it from time to time and you can automate that with like a cron or a script. With Windows you have to download it manually, install it manually and check for updates.

Burp Suite. It's part of the pool in terms of the tools that do the job, whether they're free or commercially based. So Burp Suite and Nikto, and WPScan, that's for WordPress. They're all website security checkers per se, but they're not all created equal, some are specialized for certain things.

If you're a company and you've got your own websites, internally and externally, it's great. It's a great free, open source tool to get your security staff and even your web developers to use it. If you already have a mature SDLC framework in place or web development, then maybe you should get even maybe more serious and buy the Burp Suite Professional license or other tools out there like Acunetix.

But overall I think it's a great product. It finds, I'd say, 90% if not more of the things that it needs to and helps you remediate any security findings.