OWASP Zap Reviews

We use the solution for security testing. 

OWASP Zap needs to extend to mobile application testing. 

OWASP Zap is stable. 

The tool is open-source. 

I rate the solution an eight out of ten. 

Our primary use case for this solution is for reviewing applications developed in-house to test for known vulnerabilities, and we deploy this product on-premises. Additionally, we use the solution to review some applications that were developed in-house and test for any general or known vulnerabilities before moving them to the production environment.

The product has improved our application security engagement. It helps with our in-house review and sometimes, we don't need an external third-party tester to review it. Once we get it from OWASP Zap, we have an idea of the inherent vulnerabilities in the application. This is a plus to save cost and improve our application accuracy practice.

The most valuable feature is scanning the URL to drill down all the different sites and features embedded within the URL, like the crawler and the Spy Dream.

The product reporting could be improved. It could be changed to authorize reporting to be viewed from different perspectives to get additional regulatory requirements.

We have been using this solution for approximately six years and are currently using the latest version.

The solution is stable.

We have not explored the scalability of the system yet. We only have two users currently using it.

We have not reached out to the technical team for support.

We previously used Net Packer.

The initial setup is straightforward.

Implementation was done in-house.

We see a return on investment with this solution.

I cannot comment on licensing costs, as a different department handles it.

We did not evaluate other options before choosing this solution.

I rate this solution a seven out of ten. The product is good, but the reporting process could be improved. I recommend this solution to people looking for a quick DAST application and a dynamic application security testing tool. Additionally, the solution is cost-effective.

The solution has certain models. It allows the creation of a pipeline in respect of the interface or of certain content. It enables one to check that the security is as it should be. 

The solution enables a person to add the certificate and check the queries, to see if there are any that are undefined. This way, a person can have a list of the types of queries and can trace them. 

The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed. 

We have been using OWASP Zap for more than four years. 

The computers perform somewhat slowly when loading a large number of queries into memory. As such, I don't know if it will be possible to use cache on the disk, which would greatly increase performance. 

The solution is scalable. It can be run simultaneously for different targets. 

I have not had experience with using technical support. I make use of a public community on the public website.

The initial setup is a bit complex, not straightforward. It could be made easy if, lets say, a project can be defined for a certain task through the project's creation. This may simplify its use. 

Zap is a very good startup. There is an alternate solution that is a bit more expensive and requires more technical knowledge than OWASP Zap, although both have a model based configuration. The interface allows one to run predefined templates, something OWASP Zap has in common with the other solution. The automation capabilities are similar, as well. 

I used the source code design for the deployment.

I have not had experience with the code crawler, OSWAP Zap code analysis. The solution I was using is run by a search engine. My clients utilize OWASP Zap AST. They do not make use of the code crawler. 

I rate OWASP Zap as a six out of ten. 

We are using this product at a very basic level to scan reports and then share them with the Dev team for any vulnerabilities. We use the open source version and we are end users. 

The solution has improved company functioning to a certain extent, but it takes a lot of time coordinating with the Dev team because we are using the open source version and not the enterprise version. It's not an awesome solution but we do get the reports we need and there is a good amount of documentation and support. 

The automatic scanning is a valuable feature and very easy. The major advantage to this solution is the privacy it offers. We are able to achieve our objectives to some extent, but only for non-business critical applications.

The reporting format could be improved. There is no output, it's cluttered and it's a very, very long report. It would be better if it were in PDF format with a short description, some findings, color coding, and easy to read. What we do now is analyze the HTML report and then rewrite our own shorter reports. I work for a Japanese company and they want the important information to show up. The reports do not really give us recommendations or the points where the vulnerability is coming from so I'd really like to see an improvement in the condition of reports. We should be able to call an API from somewhere and scan applications.

I've been using this solution for about one year. 

The product is not that stable and sometimes I have to re-install it and contact the internal IT team. I don't have the admin rights on the laptop. Some features can break down, for example, the browser on the scanning might not open. Slowly our team will be moving towards more critical projects coming from the U.S., Japan and India, so we are definitely planning to upscale. In the next financial year, we're planning to upscale and make it more rigorous.

We are using the open source version so we have no technical support for now.

The installation is very simple. It's just an executable file because for now, we are not using it as a part of CACD or anything else. We have just installed the open source version on the laptop which has simplified things; our toolbox opens up and we just give the URL and it does an automatic scan. So information wise and operational wise, it is easy now. Our team carried out the deployment by first reading, watching videos and taking various courses. We had help from the company security team.

I carried out an evaluation between Checkmarx and OWASP Zap.

If you are working in a very big gaming company and you have the budget, then I'd suggest switching to the enterprise version because the open source version takes time to resolve the regulations and there are sometimes false positives. It takes a lot of effort to figure out how to resolve the vulnerability and then search the same thing in the code. If you're not from the development team, then a lot of coordination is required. Without any support, we are in a black hole sometimes. Some attacks can be very dangerous for the company and for the application. They create delays and I've had to learn how to deal with that. 

I rate this solution a six out of 10.

We use it for our security scanning for our applications. 

The application scanning feature is the most valuable feature. 

The reporting feature could be more descriptive.

I have been using OWASP Zap for four years. 

It is a stable solution. 

Presently seven people use this solution. It is scalable. 

The initial setup is straightforward. 

It's open source.

Overall, i would rate the solution a seven out of ten. 

It's running on my system. I use it to scan URLs and can check things if I find something. 

There's a way to set up jobs where you can get it to run all the processes against the target to avoid doing so manually. You can run it against multiple targets. 

It is easy to set up.

The solution is stable. 

I don't have any notes for improvements.

It should have more visibility. Everybody defaults to Burp. However, this is a free version that deserves more visibility.

There isn't too much information about it online. You need to self-teach in order to really learn how to use it. There isn't a lot of documentation available. 

It takes up a lot of memory and RAM. 

I've been using the solution for roughly six months. I've used it on and off. However, I really started using it constantly over the last six months. 

The solution is mostly stable. However, it requires a lot of RAM and memory. There are no bugs or glitches. 

It is not very scalable.

I'm the only security engineer. Only I use it in my company. 

I've never used technical support. I'm not sure how helpful or responsive they are. 

I used to use Portswigger Burp. This solution is free and has a lot of the paid versions Burp offers. I haven't used Burp Professional. I used the community version. I chose this solution as it is faster, at least compared to the community version. My understanding it the paid version of Burp is very fast.

The initial setup was very simple and straightforward. I didn't find any difficulty installing it on my system.

It takes about ten to 15 minutes to deploy. It depends on the machine you have. 

The solution is free to use. I don't pay any licensing fees. 

I'm an end-user. 

I'm not sure which version of the solution I'm using. 

I would rate the solution seven out of ten. While it is free to use, it does take up a lot of memory. I also find Burp easier to use than this product.

We primarily use this application for web application spidering and vulnerability assessment.

The most valuable feature is the spidering because, being a security person, it is very important for me to know each and every section of that application, so we cannot afford to miss any single web page or any single link on a particular website. The spidering mechanism is very good.

The automatic scans need improvement. The automated vulnerability assessments that the application performs needs to be simplified as well as diversified.

The solution is very stable. Presently there are only around three people including me using this particular solution. I really don't think we would be needing anything more than these as of right now.

I would say that scalability doesn't apply to this particular application. 

Presently there is only community support available, and we are able to solve a lot of problems using the documentation with community support.

Yes, we actually use a couple of different products but there is one specifically that we use, which is the Burp Suite.

The initial setup was very straightforward.

This app is completely free and open source. So there is no question about any pricing.

I would recommend that you should go through the documentation really well. That's it.

I would rate this product 8 out of 10.

Our primary use case of this solution is to scan and check that the applications we put on the internet are safe and secure.

This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we are doing large deployments, we might get a professional security partner in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes the process easier and safer.

Automatic scanning after a manual walkthrough is the most valuable feature. 

I would like for them to make it easier to understand exactly what has been checked and what has not been checked. We have to trust that it has checked all known vulnerabilities on all parts of the webapp, but it's a bit hard to see that after scanning. 

I would also like for them to develop graphical reports on the scan. Based on the log, some graphical drawing could show what part of the site has been tested. I would like to see that it has tested everything that we wanted to test.

Good.

In terms of scalability, I only tried it on small applications, so I don't know, but it seems very quick. We have plans to increase usage and to also support APIs and not just the applications. All applications that will be exposed to the internet are scanned. The ones that are used internally, in the organization, are not scanned at this point in time.

I never had to reach out to their technical support. The internet forums are great. There's so much open information on the internet so you don't really need much else. 

We tried PortSwigger Burp suite, but only briefly. We have also used IBM AppScan for a while.

The initial setup was straightforward. We didn't have to do much. There was an easy to follow guide online and there was not much to do other than to follow a straightforward tutorial. Deployment took around an hour. 

I implemented it myself. 

It's free. It's good for us because we don't know what the extent of our use will be yet. It's good to start with something free and easy to use.

We ran IBM Appscan for a year, but it was expensive and did not deliver more value. Veracode was pretty much the same and cost the same. We then also looked at PortSwigger Burp Suite Pro, which is at a better price point and a very good expert tool. Though at this point in time, given our needs, it does not seem to give us any advantage over ZAP. Also, the forums and the internet community is excellent on ZAP and it's free.

I would advise someone considering this solution to try and read about it on internet forums and see if it fits your needs.

I would rate this solution an eight out of ten. It does what it says it will do and it's not hard to set up. It is also easy to use both automatically and manually and has a plug-in into every major build-tool, like Jenkins , Gitlab and others. You can automate it through a building process.