We performed a comparison between OWASP Zap and Qualys Web Application Scanning based on real PeerSpot user reviews.
Find out in this report how the two Static Application Security Testing (SAST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."
"The scalability of this product is very good."
"It can be used effectively for internal auditing."
"Automatic updates and pull request analysis."
"Simple to use, good user interface."
"The application scanning feature is the most valuable feature."
"It has improved my organization with faster security tests."
"Fuzzer and Java APIs help a lot with our custom needs."
"Key features include: Cloud-based, so the installation is not so tedious. Easily deployed. Highly scalable. Comprehensive reporting."
"The interface is user-friendly and easy to understand."
"The most valuable feature of Qualys Web Application Scanning is the effective scanning that can be done."
"With our vulnerabilities under control, it's putting our services in compliance and minimizing our risk for exposure."
"By using QualysGuard, we are able to finish external scans with assured results in half the time."
"The feature that I have found most valuable is the progressive scan. It is good. It's done in 24 hours."
"We can do scanning and submit reports straight to the customers when there are new vulnerabilities, then tell them whether they are affected or not."
"The Qualys Web Application Scanning solution offers a single comprehensive console and consolidated reporting, covering all aspects from on-prem to cloud and compliance, etcetera."
"The automated vulnerability assessments that the application performs needs to be simplified as well as diversified."
"I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help."
"The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."
"It doesn't run on absolutely every operating system."
"Reporting format has no output, is cluttered and very long."
"They stopped their support for a short period. They've recently started to come back again. In the early days, support was much better."
"The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more."
"The technical support team must be proactive."
"We procured around 110 licenses for Web Application Scanning, but we have issues running concurrent scans. I don't currently have the option to trigger scans for all 100-plus websites. The default limit is around 10 conference scans. It's not very scalable, to be honest, because of the limitation that they put on concurrent scans."
"The area of false positives could be improved. There are quite a number of false positives as compared to other solutions. They could probably fine tune the algorithm to be able to reduce the number of false positives being detected."
"The support could be faster."
"Sometimes the response time is low because the handshake fails, and then you have to re-login and start again."
"The UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs."
"In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are benchmarked against it, this will be helpful for us."
"There's a distinction between internal and external scanning processes that could be streamlined. Currently, for internal scanning, specific configurations and scanner appliances need to be deployed within the network, which differs from the simpler setup for external scans. This dual process complicates the setup for comprehensive scanning coverage."
"There should be better visibility into the application."
More Qualys Web Application Scanning Pricing and Cost Advice →
OWASP Zap is ranked 7th in Static Application Security Testing (SAST) with 37 reviews while Qualys Web Application Scanning is ranked 14th in Static Application Security Testing (SAST) with 31 reviews. OWASP Zap is rated 7.6, while Qualys Web Application Scanning is rated 7.8. The top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". On the other hand, the top reviewer of Qualys Web Application Scanning writes "A stable solution that can be used for infrastructure vulnerability scanning and web application scanning". OWASP Zap is most compared with SonarQube, Acunetix, Veracode, PortSwigger Burp Suite Professional and Checkmarx One, whereas Qualys Web Application Scanning is most compared with Veracode, SonarQube, PortSwigger Burp Suite Professional, Fortify WebInspect and Tenable.io Web Application Scanning. See our OWASP Zap vs. Qualys Web Application Scanning report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.