We performed a comparison between Klocwork and OWASP Zap based on real PeerSpot user reviews.
Find out in this report how the two Static Application Security Testing (SAST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The most valuable feature is the Incremental analysis."
"We like using the static analysis and code refactoring, which are very valuable because of our requirements to meet safety critical levels and reliability."
"The most valuable feature of Klocwork is finding defects while you're doing the coding. For example, if you have an IDE plug-in of Klocwork on Visual Studio or Eclipse, you can find the faults; similar to using spell check on Word, you can find out defects during the development phase, which means that you don't have to wait till the development is over to find the flaws and address the deficiencies. I also find language support in Klocwork good because it used to support only C, C++, C#, and Java, but now, it also supports Java scripts and Python."
"The ability to create custom checkers is a plus."
"I like not having to dig through false positives. Chasing down a false positive can take anywhere from five minutes for a small easy one, then something that is complicated and goes through a whole bunch of different class cases, and it can take up to 45 minutes to an hour to find out if it is a false positive or not."
"Technical support is quite good."
"The tool helps the team to think beforehand about corner cases or potential bugs that might arise in real-time."
"There's a feature in Klocwork called 'on-the-fly analysis', which helps developers to find and fix the defects at the time of development itself."
"The solution is scalable."
"The API is exceptional."
"The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool."
"The solution has tightened our security."
"ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube."
"Simple and easy to learn and master."
"It's great that we can use it with Portswigger Burp."
"It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."
"Klocwork has to improve its features to stay ahead of other free solutions."
"We bought Klocwork, but it was limited to one little program, but the program is now sort of failing. So, we have a license for usage on a program that is sort of failing, and we really can't use the license on anything else."
"We'd like to see integration with Agile DevOps and Agile methodologies."
"Now the only issue we have is that whenever we need to get the code we have to build it first. Then we can get the report."
"I believe it should support more languages, such as Python and JavaScript."
"I hope that in each new release they add new features relating to the addition of checkers, improving their analysis engines etc."
"Klocwork does have a problem with true positives. It only found 30% of true positives in the Juliet test case."
"This solution could be improved if they offered support of more languages including Ada and Golang. They currently only support seven languages."
"Reporting format has no output, is cluttered and very long."
"I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word list, or manually created."
"I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help."
"Too many false positives; test reports could be improved."
"OWASP Zap needs to extend to mobile application testing."
"The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time."
"It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."
"There's very little documentation that comes with OWASP Zap."
Klocwork is ranked 11th in Static Application Security Testing (SAST) with 20 reviews while OWASP Zap is ranked 7th in Static Application Security Testing (SAST) with 37 reviews. Klocwork is rated 8.2, while OWASP Zap is rated 7.6. The top reviewer of Klocwork writes "Their technical team helps us get the most out of the solution, but we've faced some stability problems in our environment". On the other hand, the top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". Klocwork is most compared with SonarQube, Coverity, Polyspace Code Prover, Checkmarx One and CodeSonar, whereas OWASP Zap is most compared with SonarQube, Acunetix, Qualys Web Application Scanning, Veracode and PortSwigger Burp Suite Professional. See our Klocwork vs. OWASP Zap report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.