We compared Veracode and OWASP Zap across several parameters based on our user's reviews. After reading the collected data, you can find our conclusion below:
Based on the user reviews, Veracode is the preferred product over OWASP Zap. However, if you have a limited budget and technical expertise for setup and customization, go for OWASP ZAP. If you prioritize ease of use, a cloud-based solution, and you require a broader range of security functionalities beyond just vulnerability scanning, choose Veracode.
"It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."
"The ZAP scan and code crawler are valuable features."
"It can be used effectively for internal auditing."
"The product helps users to scan and fix vulnerabilities in the pipeline."
"It has improved my organization with faster security tests."
"The solution has tightened our security."
"The interface is easy to use."
"This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we have something really big, we might get some professional company in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes it easier and safer."
"The coverage of the last vulnerabilities reported."
"It does software composition analysis, discovering open source software weaknesses."
"Veracode does not require any maintenance."
"The Veracode technical support is very good. They are responsive and very knowledgeable."
"The most valuable feature is the efficiency of the tool in finding vulnerabilities."
"It gives me an idea about the most important vulnerabilities and fast remediation tips."
"I like the way the flaws are reported in the system."
"The installation was straightforward."
"As security evolves, we would like DevOps built into it. As of now, Zap does not provide this."
"It would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results."
"The technical support team must be proactive."
"I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word list, or manually created."
"It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."
"It needs more robust reporting tools."
"The reporting feature could be more descriptive."
"The solution is unable to customize reports."
"When we scan binary, when we perform binary analysis, it could go faster. That has a lot to do with the essence of scanning binary code, it takes a little bit longer. Certain aspects, depending on what type of code it is, take a little long, especially legacy code."
"We have approximately 900 people using the solution. The solution is scalable, but there is a high cost attached to it."
"We use Ruby on Rails and we still don't have any support for that from Veracode."
"The sandbox could use some improvement; when creating a sandbox, it requires us to put the application name in twice, which seems unnecessary."
"There is also a size limit of 100 MB so we cannot upload files that are larger than that. That could be improved. Also, the duration of the scan is a bit too long."
"The cost of the solution is a little bit expensive. Expensive in the sense that there was a hundred percent increase in cost from last year to this year, which is certainly not justified."
"If you schedule two parallel scans under the same project, one of them will be a failure."
"Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated."
OWASP Zap is ranked 7th in Static Application Security Testing (SAST) with 37 reviews while Veracode is ranked 2nd in Static Application Security Testing (SAST) with 194 reviews. OWASP Zap is rated 7.6, while Veracode is rated 8.2. The top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". OWASP Zap is most compared with SonarQube, Acunetix, Qualys Web Application Scanning, PortSwigger Burp Suite Professional and Checkmarx One, whereas Veracode is most compared with SonarQube, Checkmarx One, Fortify on Demand, Snyk and SonarCloud. See our OWASP Zap vs. Veracode report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.