OWASP Zap Reviews

Our primary use case is for scanning. We have Bamboo, Nexus and Artifactory and we are able to make snapshots. When we get a pull request we're able to make another snapshot and we compare the two snapshots together and can see what is new in the pull request. We can see which libraries are there and that enables us to see the vulnerabilities. I'm an embedded software engineer.

I would say that the automatic update is a very valuable feature because we are able to update our internal data base. The pull request analysis is also very good.

The product is somewhat complicated and could be improved by simplifying it because you don't want to have to allocate one person to maintain the solution full time. We'd like to be able to deploy it and have it work. Ideally we'd like to be able to get a pull request analysis and the analysis of repositories. 

I think they could definitely work on a more simplified deployment. That would improve the product. The issues are not necessarily related to the solution but possibly connected to how it was initially set up. 

We've been using this solution for three or four years. 

Regarding stability, we have some issues in our product and we need to work on it. Something is wrong in the architecture, perhaps it's a bug. 

The initial setup was done before I came to the company. There are five people on our security team who discuss maintenance issues and try to solve problems. 

I would recommend this product to people although I think it is very difficult to deploy and we also have issues with maintenance.

I would rate this solution a six out of 10 in our environment. I don't think deployment was done very well in our company and that has affected the quality of the product. Perhaps if things had been done differently I would rate it an eight out of 10. 

We primarily use this product for web application scanning.

The interface is easy to use.

The documentation needs to be improved because I had to learn everything from watching YouTube videos.

I have been working with OWASP Zap for about three months.

I have not experienced any trouble in terms of stability.

Scalability has not been an issue, so far. There are four of us in the company that can log in to use it.

I have not been in contact with technical support.

The initial setup was straightforward. For me, I just had to press "Next" several times. Between the installation, downloading videos, and investigating how to deploy it, I would say that the process took roughly a day.

I did not require third-party assistance for the deployment.

This solution is providing us with value and as long as it continues to do so, we'll continue to use it.

This is an open-source solution and can be used free of charge.

This is a good product where most of the functionality is free, which is why I recommend that others use it.

I would rate this solution a seven out of ten.

We only tried out the demo to see what the solution offers and how it performs overall business scanning. They also offer open-source projects.

There is definitely room for improvement. I prefer Burp Suite to OWASP Zap because of the extensive coverage it offers. I also think it should have an open-source tool. I would also love to see an improvement in visibility.

The OWASP Zap solution was very stable during the few days we used it.

The scalability of this product is very good.

I will rate this product a seven out of ten, because I think the visibility needs to be improved, and the support person needs to do a better job. What's more, additional features, like domain support or different authentication support also needs to be improved.

We use this product for vulnerability scanning and for testing. I'm an automation engineer. 

The HUD, Heads Up Display, is a good feature. It provides on-site testing and saves a lot of time.

We get too many false positives and that should definitely be improved. I'd like to see site scanning included in the solution because it can get into your hidden files and reports. 

I've been using this solution for one year. 

The solution is stable. 

The solution is not scalable. 

The initial setup is straightforward and was carried out in-house without assistance from a third party. 

It's worth exploring and learning the tool. It helps a lot to understand the vulnerabilities in the applications. I rate the solution eight out of 10. 

We use OWASP Zap for web application security scanning.

They offer free access to some other tools.

Zap could improve by providing better reports for security and recommendations for the vulnerabilities. Additionally, they should allow more testing other than web applications, such as on the cloud and VMs.

I have been using OWASP Zap for approximately three months.

I have used other solutions, such as AngularJS.

The installation is straightforward.

This solution is open source and free.

I have been evaluating Armor for my teammates who are using ZAP. I have found that Armor is better than ZAP and we are looking to switch solutions.

I rate OWASP Zap a six out of ten.

The use case was we needed to scan our website to find out what vulnerabilities were present.

We use it to scan the website, then take a report about what vulnerabilities are present on it. Next, we will manually verify those vulnerabilities for false positives.

Every now and then, there is an update. They add new vulnerabilities to the scan list. That is where they just keep on improving.

The community support that ZAP provides me. As an open source, it provides me flexibility and is convenient to use.

As security evolves, we would like DevOps built into it. As of now, Zap does not provide this.

I would like to have more vulnerabilities added to the scan list, because as of now, it covers around 72 to 80. I need more because we need broader coverage.

Stability is good.

We have not scaled yet. Though, we should be able to scale.

I have not used any support for this solution yet.

The initial setup is straightforward, because we can integrate it directly into the SDLC.

The community edition updates services regularly. They add new vulnerabilities into the scanning list.