We compared SonarQube and OWASP Zap based on our user's reviews in several parameters.
SonarQube and OWASP Zap both provide valuable features for detecting vulnerabilities and enhancing code security. SonarQube stands out for its comprehensive features, versatile language support, and seamless DevOps integration, while OWASP Zap is praised for its robust scanning capabilities and user-friendly interface. SonarQube offers strong customer service and positive ROI, while OWASP Zap is commended for its responsive support and affordable pricing. Areas for improvement include analysis speed for SonarQube and tool performance for OWASP Zap.
Features: SonarQube stands out for its support for multiple languages, integration with DevOps pipelines, ability to detect vulnerabilities, and usability enhancements. In contrast, OWASP Zap is praised for its robust scanning capabilities, effective interception and proxying features, comprehensive reporting options, ease of use, user-friendly interface, and strong community support.
Pricing and ROI: The setup cost for SonarQube is considered straightforward and easy, with users appreciating the simplicity of the process. On the other hand, OWASP Zap's setup cost is minimal and hassle-free, allowing for quick and easy installation., SonarQube has proven highly beneficial for ROI, improving code quality, fixing issues, enhancing project efficiency, and detecting vulnerabilities. OWASP Zap provides enhanced security measures, risk mitigation, and user-friendly flexibility.
Room for Improvement: SonarQube's room for improvement lies in enhancing analysis speed, refining UI for navigation, providing clearer setup instructions and advanced functionality documentation, addressing occasional performance issues, and improving integration options. On the other hand, OWASP Zap needs improvements in tool speed and performance, user interface usability, documentation clarity, tool stability, advanced features and customization options, and reporting capabilities.
Deployment and customer support: Users mentioned that it took them three months for deployment and an additional week for setup with SonarQube, while OWASP Zap users had varying timeframes. SonarQube's deployment and setup durations are longer compared to OWASP Zap., SonarQube is commended for its exceptional customer service, with prompt and knowledgeable assistance. Users express confidence in the reliability of its support. OWASP Zap's customer service is also highly praised, with helpful and responsive staff who ensure a positive user experience.
The summary above is based on 47 interviews we conducted recently with SonarQube and OWASP Zap users. To access the review's full transcripts, download our report.
"It scans while you navigate, then you can save the requests performed and work with them later."
"Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."
"The interface is easy to use."
"You can run it against multiple targets."
"The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information."
"The vulnerabilities that it finds, because the primary goal is to secure applications and websites."
"The solution is good at reporting the vulnerabilities of the application."
"This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we have something really big, we might get some professional company in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes it easier and safer."
"I follow Quality Gate's graduation model within organization, and it is extremely helpful for me to benchmark products."
"We consider it a handy tool that helps to resolve our issues immediately."
"SonarQube is one of the more popular solutions because it supports 29 languages."
"The tool helps us to monitor and manage violations. It manages the bugs and security violations."
"Provides local scanning for developers."
"My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it."
"This has improved our organization because it has helped to find Security Vulnerabilities."
"It is a very good tool for analysis and security vulnerability checking."
"It would be nice to have a solid SQL injection engine built into Zap."
"The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time."
"The forced browse has been incorporated into the program and it is resource-intensive."
"The product reporting could be improved."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"OWASP Zap needs to extend to mobile application testing."
"I prefer Burp Suite to SWASP Zap because of the extensive coverage it offers."
"It would be a great improvement if they could include a marketplace to add extra features to the tool."
"Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer."
"I would like to see SonarQube implement a good amount of improvements to the product's security features. Another aspect of SonarQube that could be improved is the search functionality."
"Code security scanning could be improved."
"Monitoring is a feature that can be improved in the next version."
"The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler."
"Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time."
"SonarQube needs to improve its ease of use, integration with third-party platforms, and scalability."
"SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this."
OWASP Zap is ranked 7th in Application Security Testing (AST) with 37 reviews while SonarQube is ranked 1st in Application Security Testing (AST) with 110 reviews. OWASP Zap is rated 7.6, while SonarQube is rated 8.0. The top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". OWASP Zap is most compared with Acunetix, Qualys Web Application Scanning, PortSwigger Burp Suite Professional, Veracode and Checkmarx One, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and GitLab. See our OWASP Zap vs. SonarQube report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
