We use ZAP for penetration testing.
Manager, Quality Assurance at Managed Markets Insight & Technology, LLC
It's easy to use and the automated scan is powerful, but the cloud integration could be improved
Pros and Cons
- "ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube."
- "ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline."
What is our primary use case?
What is most valuable?
ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube.
What needs improvement?
ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline.
For how long have I used the solution?
We have used ZAP for more than six months.
Buyer's Guide
OWASP Zap
December 2024
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
What do I think about the stability of the solution?
ZAP is stable.
How are customer service and support?
I rate ZAP support seven out of 10. It's good.
How would you rate customer service and support?
Neutral
How was the initial setup?
Deploying ZAP is straightforward. It took me and one other person three or four days to install and configure ZAP.
What's my experience with pricing, setup cost, and licensing?
We use the community version.
Which other solutions did I evaluate?
We did a POC for a tool by NetSuite, but that was a paid tool.
What other advice do I have?
I rate OWASP ZAP seven out of 10. It's an excellent penetration testing tool for developers. That scanning part is solid, but the integration with AWS and Azure pipelines could be better.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Information Security Professional at AEDC
Fast and easy to set up but uses a lot of memory
Pros and Cons
- "You can run it against multiple targets."
- "There isn't too much information about it online."
What is our primary use case?
It's running on my system. I use it to scan URLs and can check things if I find something.
What is most valuable?
There's a way to set up jobs where you can get it to run all the processes against the target to avoid doing so manually. You can run it against multiple targets.
It is easy to set up.
The solution is stable.
What needs improvement?
I don't have any notes for improvements.
It should have more visibility. Everybody defaults to Burp. However, this is a free version that deserves more visibility.
There isn't too much information about it online. You need to self-teach in order to really learn how to use it. There isn't a lot of documentation available.
It takes up a lot of memory and RAM.
For how long have I used the solution?
I've been using the solution for roughly six months. I've used it on and off. However, I really started using it constantly over the last six months.
What do I think about the stability of the solution?
The solution is mostly stable. However, it requires a lot of RAM and memory. There are no bugs or glitches.
What do I think about the scalability of the solution?
It is not very scalable.
I'm the only security engineer. Only I use it in my company.
How are customer service and support?
I've never used technical support. I'm not sure how helpful or responsive they are.
Which solution did I use previously and why did I switch?
I used to use Portswigger Burp. This solution is free and has a lot of the paid versions Burp offers. I haven't used Burp Professional. I used the community version. I chose this solution as it is faster, at least compared to the community version. My understanding it the paid version of Burp is very fast.
How was the initial setup?
The initial setup was very simple and straightforward. I didn't find any difficulty installing it on my system.
It takes about ten to 15 minutes to deploy. It depends on the machine you have.
What's my experience with pricing, setup cost, and licensing?
The solution is free to use. I don't pay any licensing fees.
What other advice do I have?
I'm an end-user.
I'm not sure which version of the solution I'm using.
I would rate the solution seven out of ten. While it is free to use, it does take up a lot of memory. I also find Burp easier to use than this product.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
OWASP Zap
December 2024
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
Works at a retailer with 1,001-5,000 employees
Finds Vulnerabilities And Gives The Latest Attacks And How To Protect Against Them
Pros and Cons
- "The vulnerabilities that it finds, because the primary goal is to secure applications and websites."
- "It doesn't run on absolutely every operating system."
What is most valuable?
The vulnerabilities that it finds, because the primary goal is to secure applications and websites.
How has it helped my organization?
When I checked the CVE and MITRE databases, that gives the latest attacks that are out there for a particular software, hardware and how to protect against it.
What needs improvement?
It's possibly just a limitation of the product itself but sometimes it won't scan a particular website so you have to manually go in and make some configuration changes.
Also, it needs to have more feeds such as from the Darknet, RSS or intelligence like US-CERT, or some of those like NISTs or other standing bodies because right now it's got some CVEs in there but there's more to it than just that. So if it could tie into those, somehow, so you could do some research, like a "research tab" under tools and some one-click access to those forums and feeds.
In addition, it doesn't run on absolutely every operating system.
For how long have I used the solution?
Five years.
What do I think about the stability of the solution?
As far as stability goes, perhaps if you're running it in a Kali Linux virtual machine, sometimes it doesn't close out right away so I don't know if it takes too much time to flush that RAM out. It won't crash but it will lag. On Windows, it'll just close right away.
What do I think about the scalability of the solution?
Not at this point. Normally I just play with it on Windows but lately I've been using it on Kali.
How are customer service and technical support?
I haven't used it. If I have a question I'll just Google it.
Also, if you go into a forum, while that's kind of like calling a human, you're really not. It's a very well developed and very mature forum with a lot of people from different organizations all over the world, so it's top notch.
Which solution did I use previously and why did I switch?
I use a lot of different tools, the right tool for the job. Burp Suite, IBM Security AppScan, InMap, NIKTO, Wpscan. Depending on what you find, you might have to use better tools so OWASP Zap. I don't know if it's copyright infringement or not, given that it's open source, but it's possible they could build someone else's tools into the GUI of OWASP Zap. As the months and years go by, you'll probably see more features in there.
I'd have to say Burp Suite Pro, which is the licensed, paid-for version, is better but that's just because it's got more funding.
How was the initial setup?
If you're talking about Kali, which is the Linux Pentesting operating system, it comes built in. The only thing you have to do is update it from time to time and you can automate that with like a cron or a script. With Windows you have to download it manually, install it manually and check for updates.
Which other solutions did I evaluate?
Burp Suite. It's part of the pool in terms of the tools that do the job, whether they're free or commercially based. So Burp Suite and Nikto, and WPScan, that's for WordPress. They're all website security checkers per se, but they're not all created equal, some are specialized for certain things.
What other advice do I have?
If you're a company and you've got your own websites, internally and externally, it's great. It's a great free, open source tool to get your security staff and even your web developers to use it. If you already have a mature SDLC framework in place or web development, then maybe you should get even maybe more serious and buy the Burp Suite Professional license or other tools out there like Acunetix.
But overall I think it's a great product. It finds, I'd say, 90% if not more of the things that it needs to and helps you remediate any security findings.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Program Manager at a manufacturing company with 1,001-5,000 employees
The tool's learning curve is smooth and light
Pros and Cons
- "It scans while you navigate, then you can save the requests performed and work with them later."
- "I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word list, or manually created."
What is our primary use case?
OWASP ZAP is a very useful, light tool for beginners to learn how to “spider” across websites. It is easy to configure and generate reports. There are other solutions for more mature, experienced security analysts and testers, who are capable of extending the coverage of a security assessment.
It is most frequently used to review HTTP methods, how are they constructed and if there is sensitive information in the traffic, such as how HTTPS certifications work on the website, scanning open ports visible via the web, and trying to modify HTTP methods to add or delete requests.
I have used OWASP ZAP as part of my portfolio of security tools since 2013.
How has it helped my organization?
Using this tool, it helps enhance and speed the process of covering big applications with many functionalities. It scans while you navigate, then you can save the requests performed and work with them later. Also, you can pass these requests to colleagues involved in the same security assessment to increase the monitoring as well as avoid extra work.
What is most valuable?
- Interception of proxy traffic
- Session comparisons
- Port scanner
- Fuzzing
- Brute force
- Cookie management
What needs improvement?
I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word list, or manually created.
For how long have I used the solution?
More than five years.
What do I think about the stability of the solution?
We have had stability issues a few times. You need to do extra configurations on the tool to make it catch traffic with different browsers. Otherwise, it won’t display any requests.
What do I think about the scalability of the solution?
No scalability issues. I found this to be a very flexible tool.
How are customer service and technical support?
OWASP ZAP has a forum to help out customers and analysts, as well as an interaction with other experts for a quick process of “Question-Answer”.
Which solution did I use previously and why did I switch?
OWASP ZAP is one of the solutions that I use. For simple tasks, I use Fiddler. For other advanced techniques, I use the Burp Suite. I would say OWASP ZAP is a really light, useful tool in the middle of the other two mentioned.
How was the initial setup?
Initial setup was pretty straightforward; nothing complex.
What's my experience with pricing, setup cost, and licensing?
OWASP ZAP is a free tool provided by OWASP’s engineers and experts. There is an option to donate.
Which other solutions did I evaluate?
As mentioned, BURP Suite and Fiddler are two other great options. OWASP ZAP excels for what it does and for how smooth and light the tool’s learning curve can be.
What other advice do I have?
This is a very mature tool. It is capable of facilitating the work of many security experts. I highly recommend it for beginners and advanced users when some other tools fail to catch traffic.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
CEO and Founder at Indicrypt Systems
Offers good web application spidering and vulnerability assessment
Pros and Cons
- "The automated vulnerability assessments that the application performs needs to be simplified as well as diversified."
What is our primary use case?
We primarily use this application for web application spidering and vulnerability assessment.
What is most valuable?
The most valuable feature is the spidering because, being a security person, it is very important for me to know each and every section of that application, so we cannot afford to miss any single web page or any single link on a particular website. The spidering mechanism is very good.
What needs improvement?
The automatic scans need improvement. The automated vulnerability assessments that the application performs needs to be simplified as well as diversified.
For how long have I used the solution?
I've been using the solution for 5 years.
What do I think about the stability of the solution?
The solution is very stable. Presently there are only around three people including me using this particular solution. I really don't think we would be needing anything more than these as of right now.
What do I think about the scalability of the solution?
I would say that scalability doesn't apply to this particular application.
How are customer service and technical support?
Presently there is only community support available, and we are able to solve a lot of problems using the documentation with community support.
Which solution did I use previously and why did I switch?
Yes, we actually use a couple of different products but there is one specifically that we use, which is the Burp Suite.
How was the initial setup?
The initial setup was very straightforward.
What's my experience with pricing, setup cost, and licensing?
This app is completely free and open source. So there is no question about any pricing.
What other advice do I have?
I would recommend that you should go through the documentation really well. That's it.
I would rate this product 8 out of 10.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Technical Specialist(DevOps) at a tech services company with 1,001-5,000 employees
Provides good automatic scanning and privacy; reporting could be improved
Pros and Cons
- "Automatic scanning is a valuable feature and very easy to use."
- "Reporting format has no output, is cluttered and very long."
What is our primary use case?
We are using this product at a very basic level to scan reports and then share them with the Dev team for any vulnerabilities. We use the open source version and we are end users.
How has it helped my organization?
The solution has improved company functioning to a certain extent, but it takes a lot of time coordinating with the Dev team because we are using the open source version and not the enterprise version. It's not an awesome solution but we do get the reports we need and there is a good amount of documentation and support.
What is most valuable?
The automatic scanning is a valuable feature and very easy. The major advantage to this solution is the privacy it offers. We are able to achieve our objectives to some extent, but only for non-business critical applications.
What needs improvement?
The reporting format could be improved. There is no output, it's cluttered and it's a very, very long report. It would be better if it were in PDF format with a short description, some findings, color coding, and easy to read. What we do now is analyze the HTML report and then rewrite our own shorter reports. I work for a Japanese company and they want the important information to show up. The reports do not really give us recommendations or the points where the vulnerability is coming from so I'd really like to see an improvement in the condition of reports. We should be able to call an API from somewhere and scan applications.
For how long have I used the solution?
I've been using this solution for about one year.
What do I think about the stability of the solution?
The product is not that stable and sometimes I have to re-install it and contact the internal IT team. I don't have the admin rights on the laptop. Some features can break down, for example, the browser on the scanning might not open. Slowly our team will be moving towards more critical projects coming from the U.S., Japan and India, so we are definitely planning to upscale. In the next financial year, we're planning to upscale and make it more rigorous.
How are customer service and technical support?
We are using the open source version so we have no technical support for now.
How was the initial setup?
The installation is very simple. It's just an executable file because for now, we are not using it as a part of CACD or anything else. We have just installed the open source version on the laptop which has simplified things; our toolbox opens up and we just give the URL and it does an automatic scan. So information wise and operational wise, it is easy now. Our team carried out the deployment by first reading, watching videos and taking various courses. We had help from the company security team.
Which other solutions did I evaluate?
I carried out an evaluation between Checkmarx and OWASP Zap.
What other advice do I have?
If you are working in a very big gaming company and you have the budget, then I'd suggest switching to the enterprise version because the open source version takes time to resolve the regulations and there are sometimes false positives. It takes a lot of effort to figure out how to resolve the vulnerability and then search the same thing in the code. If you're not from the development team, then a lot of coordination is required. Without any support, we are in a black hole sometimes. Some attacks can be very dangerous for the company and for the application. They create delays and I've had to learn how to deal with that.
I rate this solution a six out of 10.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Consultant at Harald A. Møller AS
Has made us feel safer doing frequent deployments for web applications and has a plug-in into every major system
Pros and Cons
- "This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we have something really big, we might get some professional company in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes it easier and safer."
- "If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning."
What is our primary use case?
Our primary use case of this solution is to scan and check that the applications we put on the internet are safe and secure.
How has it helped my organization?
This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we are doing large deployments, we might get a professional security partner in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes the process easier and safer.
What is most valuable?
Automatic scanning after a manual walkthrough is the most valuable feature.
What needs improvement?
I would like for them to make it easier to understand exactly what has been checked and what has not been checked. We have to trust that it has checked all known vulnerabilities on all parts of the webapp, but it's a bit hard to see that after scanning.
I would also like for them to develop graphical reports on the scan. Based on the log, some graphical drawing could show what part of the site has been tested. I would like to see that it has tested everything that we wanted to test.
For how long have I used the solution?
Less than one year.
What do I think about the stability of the solution?
Good.
What do I think about the scalability of the solution?
In terms of scalability, I only tried it on small applications, so I don't know, but it seems very quick. We have plans to increase usage and to also support APIs and not just the applications. All applications that will be exposed to the internet are scanned. The ones that are used internally, in the organization, are not scanned at this point in time.
How are customer service and technical support?
I never had to reach out to their technical support. The internet forums are great. There's so much open information on the internet so you don't really need much else.
Which solution did I use previously and why did I switch?
We tried PortSwigger Burp suite, but only briefly. We have also used IBM AppScan for a while.
How was the initial setup?
The initial setup was straightforward. We didn't have to do much. There was an easy to follow guide online and there was not much to do other than to follow a straightforward tutorial. Deployment took around an hour.
What about the implementation team?
I implemented it myself.
What's my experience with pricing, setup cost, and licensing?
It's free. It's good for us because we don't know what the extent of our use will be yet. It's good to start with something free and easy to use.
Which other solutions did I evaluate?
We ran IBM Appscan for a year, but it was expensive and did not deliver more value. Veracode was pretty much the same and cost the same. We then also looked at PortSwigger Burp Suite Pro, which is at a better price point and a very good expert tool. Though at this point in time, given our needs, it does not seem to give us any advantage over ZAP. Also, the forums and the internet community is excellent on ZAP and it's free.
What other advice do I have?
I would advise someone considering this solution to try and read about it on internet forums and see if it fits your needs.
I would rate this solution an eight out of ten. It does what it says it will do and it's not hard to set up. It is also easy to use both automatically and manually and has a plug-in into every major build-tool, like Jenkins , Gitlab and others. You can automate it through a building process.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Good user interface and easy to use; test reports could be improved
Pros and Cons
- "Simple to use, good user interface."
- "Too many false positives; test reports could be improved."
What is our primary use case?
I'm a business analyst and we're a customer of OWASP Zap.
What is most valuable?
The valuable features are that it's very simple to use and the user interface is very good, particularly for beginners so they can start the application easily. It's enough to refer to an online tutorial to be able to start using this application. It's not very complex.
What needs improvement?
I'd like to be able to explore more and improvements could be made in that area because for now I'm only able to explore the manual testing feature. I'd also like to see an improvement in test reports because we get too many false positives.
For how long have I used the solution?
I've been using this solution for the past few months.
What do I think about the stability of the solution?
The stability is okay although we get many false positives when pulling out test reports.
What do I think about the scalability of the solution?
The scalability is very good.
How are customer service and technical support?
I haven't needed technical support to date and I haven't yet started using the community support.
How was the initial setup?
The initial setup wasn't very complex. You're supposed to install a JDK, Java file. I think implementation took about an hour. There are seven people in the company using the solution and maybe in the coming days there will be more.
What other advice do I have?
I would definitely recommend this product provided the company can provide more clarity on the false positives that we get.
I would rate this solution a seven out of 10.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free OWASP Zap Report and get advice and tips from experienced pros
sharing their opinions.
Updated: December 2024
Product Categories
Static Application Security Testing (SAST)Popular Comparisons
SonarQube Server (formerly SonarQube)
Veracode
GitLab
Checkmarx One
Coverity
SonarQube Cloud (formerly SonarCloud)
Fortify on Demand
Acunetix
PortSwigger Burp Suite Professional
HCL AppScan
Qualys Web Application Scanning
Invicti
Kiuwan
Rapid7 AppSpider
Contrast Security Assess
Buyer's Guide
Download our free OWASP Zap Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is OWASP Zap better than PortSwigger Burp Suite Pro?
- What is the biggest difference between OWASP Zap and PortSwigger Burp?
- What is the biggest difference between OWASP Zap and Qualys?
- What Application Security Solution Do You Use That Is DevOps Friendly?
- Which is the most comprehensive open source Web Security Testing tool?
- What is the best Application Security Testing platform?
- When evaluating Application Security Testing, what aspect do you think is the most important to look for?
- SAST vs. DAST: Which is better for application security testing?
- What tools do you rely on for building a DevSecOps pipeline?
- What does the Log4j/Log4Shell vulnerability mean for your company?