OWASP Zap Reviews

Security/penetration testing of a Java-based Web application which is served over a SaaS platform.

Zap has been integrated as one of the important tools in our QA cycle. All beta releases of our software go through Zap scanning. Custom reports are generated - they are pretty decent and standardized - and are submitted to upper management for auditing by a third-party.

We save a significant amount of money on third-party security auditing time.

We are also able to minimize most of the security threats for our software prior to releases, thus saving a lot of time on security fixes and post-release path builds.

Fuzzer and Java APIs help a lot with our custom needs.

It would be nice to have a solid SQL injection engine built into Zap.

No stability issues for us, so far.

No major problems in terms of the scalability of the software.

Community support and documentation are good.

Setup of Zap is relative easy and straightforward for any technical person, with good documentation to configure it according to your needs.

As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out.

We evaluated several other packages prior to OWASP Zap, such as Burp Suite and Acunetix. We finally moved to Zap as it is open-source and provides almost all the features and the customization that we need.

I would rate it an eight out of 10, based on the usability and variety of features provided. It is highly customizable in terms of usability and reporting, and all of this is available in a free solution.

I'm a business analyst and we're a customer of OWASP Zap. 

The valuable features are that it's very simple to use and the user interface is very good, particularly for beginners so they can start the application easily. It's enough to refer to an online tutorial to be able to start using this application. It's not very complex.

I'd like to be able to explore more and improvements could be made in that area because for now I'm only able to explore the manual testing feature. I'd also like to see an improvement in test reports because we get too many false positives. 

I've been using this solution for the past few months. 

The stability is okay although we get many false positives when pulling out test reports. 

The scalability is very good. 

I haven't needed technical support to date and I haven't yet started using the community support.  

The initial setup wasn't very complex. You're supposed to install a JDK, Java file. I think implementation took about an hour. There are seven people in the company using the solution and maybe in the coming days there will be more. 

I would definitely recommend this product provided the company can provide more clarity on the false positives that we get. 

I would rate this solution a seven out of 10. 

It is a security tool. We use it for application testing. 

It can be used effectively for internal auditing. We use it to detect f/p (false positives). 

It needs more robust reporting tools that can be in an editable form. 

This is a good, stable product. 

We have not used technical support. 

We looked at Arachni and Acunetix.

Zap collects all the AJAX and Ambelo GS links. It pages in everything from a target. I'm a security consultant and we are customers of Zap. 

Zap is an open-source and sophisticated product. It not only saves us money but also provides us with a good amount of information. In terms of testing and attack simulations, it's pretty good. It updates its repositories and libraries pretty quickly. 

The disadvantage of Zap is that we're unable to customize reports as it only has a single standard format. The default PDF template has no proper customizations, dashboards, or any sort of widgets that we can maintain. There's a single dashboard and only one type of report that it provides.

The solution is stable. 

We haven't had any scalability challenges. 

The installation was relatively easy as is maintenance. 

Whether this is a good solution depends on the use case. If an organization is looking for a professional license without putting down any money, this is one of the best solutions.  

I would rate this solution more highly if we were able to customize reports. For now, I rate this solution eight out of 10.

• Very good open source security tool supporting the top 10 vulnerabilities (Injections, Session Management, XSS, Authentication, Authorization, etc.).
• Simple and easy to learn and master.
• Good online product documentation.
• Built in features include: Intercepting proxy, Plug and Hack support, Automated scanning, Passing scan, Fuzzer, Traditional and Ajax Crawling and Web Socket support and so on.
• Detailed reporting mechanism.
• The tool has been translated in 25 different languages.
• Can be executed through GUI, command line and also in Daemon mode with the help of REST API.
• Very good API support for automating security tests.
• Supports multiple platforms like Mac, Linux and Windows.
• It's easy to create add-ons and extensions to scale up the features of the tool.

We have leveraged our existing functional tests for security testing by integrating web driver scripts with the OWASP ZAP tool.

Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation.

6 months

Did not encounter any issues. It's easy to install and configure.

So far I am very comfortable and did not find any stability related issues.

It is scalable, by creating new extensions and add-ons for the tool. But we faced a couple of challenges initially which were solved with the help of online documentation

4/10

4/10

No

It is very simple to install and configure.

We have implemented this with the in-house team support.

Instead of creating a new framework for security tests, it helped us to leverage (reuse) existing functional test automation framework for security tests. This reduces lot of rework.

It is highly recommended as it is an open source tool.

No, we are happy with the features provided with this tool, but if you want to go with static code analysis for security tests, we need to find a different option here.

Very good and useful tool for security testing and penetrations testers.

Currently, we deploy these tools to serve in a few of our services in the organization.

The solution is very easy to use.

The initial setup is straightforward.

The solution is free due to the fact that it is open-source.

The stability of the solution is very good.

The product has a strong community surrounding it to help with issues and troubleshooting.

The technical support could be improved. It doesn't offer traditional technical support at all.

It would be a great improvement if they could include a marketplace to add extra features to the tool. It would make it more customizable and allow users to add more features as they like.

I've been using the solution for a while. I've used it at least over the last 12 months.

The stability of the solution s very good. We've never had any issues. It's been reliable. There are no bugs or glitches. It doesn't crash or freeze.

While the solution can scale to a certain extent, it cannot scale a lot. This is not one of the strengths of the product.

We only have one user that is engaged with the solution currently.

OWASP is an open-source solution. There's a big community surrounding it, however, it does not have traditional technical support. The main support comes from the community itself. If you have questions, you can find them there, or ask the community for feedback.

We previously used the PortSwigger Burp Suite. It's a commercial version with support. We had to pay for the solution on a yearly basis, whereas OWASP is open-source and free.

We found the initial setup to be very straightforward. It's easy. It's not complex. A company shouldn't have any issues with the implementation process.

The deployment only took half an hour. It wasn't more than that. The process is pretty fast.

YOu do not need a big team to handle the deployment process. We only used two.

We deployed the solution ourselves using an in-house team. We didn't need the assistance of consultants or integrators from outside firms.

The solution is open-source. It doesn't cost anything to use it.

We are a customer and end-user of the product.

There's lots of information online for users who are curious to learn more about the product.

In general, I would rate this solution at an eight out of ten. We've been largely satisfied with the product overall.

I tested this application for a bank and public projects. Now, I am testing products.

It has improved my organization with faster security tests.

• Automatic scanner: It makes work easier. 
• I like the new solution, ZAP Browser Launch. 
• Automation script

The port scanner and Zap could not send a request several times, but this has been corrected.

It is a very good product. Though, the port scanner is a little too slow.

The API is exceptional.

I can provide examples of how OWASP Zed Attack Proxy (ZAP) has been used inside many of my customer's environments. I've set up Security Regression testing using the ZAP API and written about how this is done in my first book.

I've also spoken and run many pieces of training on setting up Security Regression testing with the ZAP API.

The documentation is lacking and out-of-date, it really needs more love. This is a common scenario with developers running many open-source projects. The community is trying to help with this. I've done my part with providing details on how to use the ZAP API for Security Regression testing. I think ZAP is now sponsored by the Linux Foundation.

I have used this solution for around six to seven years.

There were no stability issues, it has been in production-ready for a long time.

There were no scalability issues, ZAP is a very fully featured HTTP intercepting proxy with many types of attacks targeting a plethora of known vulnerabilities. The OWASP Top 10 receives good coverage with ZAP. The REST API scales as far as you have resources. ZAP also has a docker image.

Technical support is excellent. The maintainers have gone well beyond what would be expected of any open-source project maintainers. They have personally worked with my customer projects to help on some of the issues we had with some legacy HTTP applications that had communications that were difficult to reason about. ZAP was not at fault at all, but the maintainers were very passionate about making sure I got the security regression system working well.

I've used many HTTP intercepting proxies, ZAP is one of the few that has an excellent API to program against. Using ZAP manually is also very fully featured.

Using the API was initially difficult to set-up, not because the API was difficult, but working out the incantations that needed to be sent. You can see these in my code.

It's free and open, currently under the Apache 2 license. If ZAP does what you need it to do, selling a free solution is a very easy.

I've been evaluating all the well-known HTTP intercepting proxies for years, as I have mentioned earlier, ZAP is the only one that has a fully featured REST API. It also has API clients written in many languages.

Don't re-implement it, just use it.

It's an excellent solution, i.e., driven by committed and passionate security focussed developers.