The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information.
Senior Manager at a marketing services firm with 10,001+ employees
Reporting gives you a clear indication of what kind of vulnerability you have that you can drill down on but the reporting should assist with base-lining
Pros and Cons
- "The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information."
- "I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help."
What is most valuable?
What needs improvement?
I'm still in the process of exploring.
I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help.
For how long have I used the solution?
I haven't been using this solution for very long yet.
What other advice do I have?
I would rate this solution as 7 out of 10, as I am still in the process of exploring. So far I think it's fine, but I think I still need to explore it a bit further and try to do a more comparative analysis.
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
It can be used effectively for internal auditing. We use it to detect f/p (false positives).
Pros and Cons
- "It can be used effectively for internal auditing."
- "It needs more robust reporting tools."
What is our primary use case?
It is a security tool. We use it for application testing.
How has it helped my organization?
It can be used effectively for internal auditing. We use it to detect f/p (false positives).
What needs improvement?
It needs more robust reporting tools that can be in an editable form.
For how long have I used the solution?
Less than one year.
What do I think about the stability of the solution?
This is a good, stable product.
How is customer service and technical support?
We have not used technical support.
Which other solutions did I evaluate?
We looked at Arachni and Acunetix.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
OWASP Zap
October 2024
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,649 professionals have used our research since 2012.
Security Consultant
Provides good information and is sophisticated; updates repositories and libraries quickly
Pros and Cons
- "It updates repositories and libraries quickly."
- "The solution is unable to customize reports."
What is our primary use case?
Zap collects all the AJAX and Ambelo GS links. It pages in everything from a target. I'm a security consultant and we are customers of Zap.
What is most valuable?
Zap is an open-source and sophisticated product. It not only saves us money but also provides us with a good amount of information. In terms of testing and attack simulations, it's pretty good. It updates its repositories and libraries pretty quickly.
What needs improvement?
The disadvantage of Zap is that we're unable to customize reports as it only has a single standard format. The default PDF template has no proper customizations, dashboards, or any sort of widgets that we can maintain. There's a single dashboard and only one type of report that it provides.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
We haven't had any scalability challenges.
How was the initial setup?
The installation was relatively easy as is maintenance.
What other advice do I have?
Whether this is a good solution depends on the use case. If an organization is looking for a professional license without putting down any money, this is one of the best solutions.
I would rate this solution more highly if we were able to customize reports. For now, I rate this solution eight out of 10.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Subdirector de Seguridad Informática e Infraestructura at a financial services firm with 201-500 employees
Open-source and easy to use with a straightforward setup
Pros and Cons
- "The stability of the solution is very good."
- "It would be a great improvement if they could include a marketplace to add extra features to the tool."
What is our primary use case?
Currently, we deploy these tools to serve in a few of our services in the organization.
What is most valuable?
The solution is very easy to use.
The initial setup is straightforward.
The solution is free due to the fact that it is open-source.
The stability of the solution is very good.
The product has a strong community surrounding it to help with issues and troubleshooting.
What needs improvement?
The technical support could be improved. It doesn't offer traditional technical support at all.
It would be a great improvement if they could include a marketplace to add extra features to the tool. It would make it more customizable and allow users to add more features as they like.
For how long have I used the solution?
I've been using the solution for a while. I've used it at least over the last 12 months.
What do I think about the stability of the solution?
The stability of the solution s very good. We've never had any issues. It's been reliable. There are no bugs or glitches. It doesn't crash or freeze.
What do I think about the scalability of the solution?
While the solution can scale to a certain extent, it cannot scale a lot. This is not one of the strengths of the product.
We only have one user that is engaged with the solution currently.
How are customer service and technical support?
OWASP is an open-source solution. There's a big community surrounding it, however, it does not have traditional technical support. The main support comes from the community itself. If you have questions, you can find them there, or ask the community for feedback.
Which solution did I use previously and why did I switch?
We previously used the PortSwigger Burp Suite. It's a commercial version with support. We had to pay for the solution on a yearly basis, whereas OWASP is open-source and free.
How was the initial setup?
We found the initial setup to be very straightforward. It's easy. It's not complex. A company shouldn't have any issues with the implementation process.
The deployment only took half an hour. It wasn't more than that. The process is pretty fast.
YOu do not need a big team to handle the deployment process. We only used two.
What about the implementation team?
We deployed the solution ourselves using an in-house team. We didn't need the assistance of consultants or integrators from outside firms.
What's my experience with pricing, setup cost, and licensing?
The solution is open-source. It doesn't cost anything to use it.
What other advice do I have?
We are a customer and end-user of the product.
There's lots of information online for users who are curious to learn more about the product.
In general, I would rate this solution at an eight out of ten. We've been largely satisfied with the product overall.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Works at a computer software company with 1,001-5,000 employees
It makes work easier and creates faster security testing
Pros and Cons
- "It has improved my organization with faster security tests."
- "The port scanner is a little too slow."
What is our primary use case?
I tested this application for a bank and public projects. Now, I am testing products.
How has it helped my organization?
It has improved my organization with faster security tests.
What is most valuable?
- Automatic scanner: It makes work easier.
- I like the new solution, ZAP Browser Launch.
- Automation script
What needs improvement?
The port scanner and Zap could not send a request several times, but this has been corrected.
What other advice do I have?
It is a very good product. Though, the port scanner is a little too slow.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Technologist at a tech services company
API Is Exceptional. Documentation needs some love
Pros and Cons
- "The API is exceptional."
- "The documentation is lacking and out-of-date, it really needs more love."
What is most valuable?
The API is exceptional.
How has it helped my organization?
I can provide examples of how OWASP Zed Attack Proxy (ZAP) has been used inside many of my customer's environments. I've set up Security Regression testing using the ZAP API and written about how this is done in my first book.
I've also spoken and run many pieces of training on setting up Security Regression testing with the ZAP API.
What needs improvement?
The documentation is lacking and out-of-date, it really needs more love. This is a common scenario with developers running many open-source projects. The community is trying to help with this. I've done my part with providing details on how to use the ZAP API for Security Regression testing. I think ZAP is now sponsored by the Linux Foundation.
For how long have I used the solution?
I have used this solution for around six to seven years.
What do I think about the stability of the solution?
There were no stability issues, it has been in production-ready for a long time.
What do I think about the scalability of the solution?
There were no scalability issues, ZAP is a very fully featured HTTP intercepting proxy with many types of attacks targeting a plethora of known vulnerabilities. The OWASP Top 10 receives good coverage with ZAP. The REST API scales as far as you have resources. ZAP also has a docker image.
How are customer service and technical support?
Technical support is excellent. The maintainers have gone well beyond what would be expected of any open-source project maintainers. They have personally worked with my customer projects to help on some of the issues we had with some legacy HTTP applications that had communications that were difficult to reason about. ZAP was not at fault at all, but the maintainers were very passionate about making sure I got the security regression system working well.
Which solution did I use previously and why did I switch?
I've used many HTTP intercepting proxies, ZAP is one of the few that has an excellent API to program against. Using ZAP manually is also very fully featured.
How was the initial setup?
Using the API was initially difficult to set-up, not because the API was difficult, but working out the incantations that needed to be sent. You can see these in my code.
What's my experience with pricing, setup cost, and licensing?
It's free and open, currently under the Apache 2 license. If ZAP does what you need it to do, selling a free solution is a very easy.
Which other solutions did I evaluate?
I've been evaluating all the well-known HTTP intercepting proxies for years, as I have mentioned earlier, ZAP is the only one that has a fully featured REST API. It also has API clients written in many languages.
What other advice do I have?
Don't re-implement it, just use it.
It's an excellent solution, i.e., driven by committed and passionate security focussed developers.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Software Engineer at a computer software company with 201-500 employees
Easy to install, free to use, but missing features
Pros and Cons
- "They offer free access to some other tools."
- "Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
What is our primary use case?
We use OWASP Zap for web application security scanning.
What is most valuable?
They offer free access to some other tools.
What needs improvement?
Zap could improve by providing better reports for security and recommendations for the vulnerabilities. Additionally, they should allow more testing other than web applications, such as on the cloud and VMs.
For how long have I used the solution?
I have been using OWASP Zap for approximately three months.
Which solution did I use previously and why did I switch?
I have used other solutions, such as AngularJS.
How was the initial setup?
The installation is straightforward.
What's my experience with pricing, setup cost, and licensing?
This solution is open source and free.
Which other solutions did I evaluate?
I have been evaluating Armor for my teammates who are using ZAP. I have found that Armor is better than ZAP and we are looking to switch solutions.
What other advice do I have?
I rate OWASP Zap a six out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Great HUD feature that provides on-site testing and saves a lot of time
Pros and Cons
- "The HUD is a good feature that provides on-site testing and saves a lot of time."
- "There are too many false positives."
What is our primary use case?
We use this product for vulnerability scanning and for testing. I'm an automation engineer.
What is most valuable?
The HUD, Heads Up Display, is a good feature. It provides on-site testing and saves a lot of time.
What needs improvement?
We get too many false positives and that should definitely be improved. I'd like to see site scanning included in the solution because it can get into your hidden files and reports.
For how long have I used the solution?
I've been using this solution for one year.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
The solution is not scalable.
How was the initial setup?
The initial setup is straightforward and was carried out in-house without assistance from a third party.
What other advice do I have?
It's worth exploring and learning the tool. It helps a lot to understand the vulnerabilities in the applications. I rate the solution eight out of 10.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free OWASP Zap Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Product Categories
Static Application Security Testing (SAST)Popular Comparisons
SonarQube Server (formerly SonarQube)
Veracode
GitLab
Checkmarx One
Coverity
SonarQube Cloud (formerly SonarCloud)
Fortify on Demand
Acunetix
PortSwigger Burp Suite Professional
HCL AppScan
Qualys Web Application Scanning
Fortify WebInspect
Invicti
Kiuwan
Rapid7 AppSpider
Buyer's Guide
Download our free OWASP Zap Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is OWASP Zap better than PortSwigger Burp Suite Pro?
- What is the biggest difference between OWASP Zap and PortSwigger Burp?
- What is the biggest difference between OWASP Zap and Qualys?
- What Application Security Solution Do You Use That Is DevOps Friendly?
- Which is the most comprehensive open source Web Security Testing tool?
- What is the best Application Security Testing platform?
- When evaluating Application Security Testing, what aspect do you think is the most important to look for?
- SAST vs. DAST: Which is better for application security testing?
- What tools do you rely on for building a DevSecOps pipeline?
- What does the Log4j/Log4Shell vulnerability mean for your company?