We performed a comparison between OWASP Zap and Qualys Web Application Scanning based on real PeerSpot user reviews.
Find out in this report how the two Static Application Security Testing (SAST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."
"They offer free access to some other tools."
"The vulnerabilities that it finds, because the primary goal is to secure applications and websites."
"ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube."
"The API is exceptional."
"The solution is scalable."
"You can run it against multiple targets."
"This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we have something really big, we might get some professional company in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes it easier and safer."
"It combines both web application vulnerability management and internal vulnerability management on one platform and dashboard. Usually, you have to purchase separate tools."
"It is a cloud-based solution, so it is easy to scale."
"I have found the detection of vulnerabilities tool thorough with good results and the graphical display output to be wonderful and full of colors. It allows many types of outputs, such as bar and chart previews."
"It is easy to use."
"Key features include: Cloud-based, so the installation is not so tedious. Easily deployed. Highly scalable. Comprehensive reporting."
"Licensing is the most valuable. Qualys provides the best licensing for companies. It is the best product for the development purposes of web applications. The product has a lot of integrations."
"You can integrate your Burp Suite results and create an integrated report. Also, the way it shows the results - threats and exploit details - makes remediation very easy."
"The most valuable feature of Qualys Web Application Scanning is the effective scanning that can be done."
"It would be a great improvement if they could include a marketplace to add extra features to the tool."
"The reporting feature could be more descriptive."
"There's very little documentation that comes with OWASP Zap."
"I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word list, or manually created."
"Deployment is somewhat complicated."
"Lacks resources where users can internally access a learning module from the tool."
"The forced browse has been incorporated into the program and it is resource-intensive."
"The documentation is lacking and out-of-date, it really needs more love."
"There should be better visibility into the application."
"Sometimes the response time is low because the handshake fails, and then you have to re-login and start again."
"We procured around 110 licenses for Web Application Scanning, but we have issues running concurrent scans. I don't currently have the option to trigger scans for all 100-plus websites. The default limit is around 10 conference scans. It's not very scalable, to be honest, because of the limitation that they put on concurrent scans."
"In certain cases, this product does have false positives, which the company should work on."
"Deployment can be complicated."
"There should be better visibility into the application."
"They should try to include business logic vulnerabilities in the scanner testing."
"In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are benchmarked against it, this will be helpful for us."
More Qualys Web Application Scanning Pricing and Cost Advice →
OWASP Zap is ranked 7th in Static Application Security Testing (SAST) with 37 reviews while Qualys Web Application Scanning is ranked 14th in Static Application Security Testing (SAST) with 31 reviews. OWASP Zap is rated 7.6, while Qualys Web Application Scanning is rated 7.8. The top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". On the other hand, the top reviewer of Qualys Web Application Scanning writes "A stable solution that can be used for infrastructure vulnerability scanning and web application scanning". OWASP Zap is most compared with SonarQube, Acunetix, PortSwigger Burp Suite Professional, Veracode and Checkmarx One, whereas Qualys Web Application Scanning is most compared with SonarQube, Veracode, PortSwigger Burp Suite Professional, Fortify WebInspect and Tenable.io Web Application Scanning. See our OWASP Zap vs. Qualys Web Application Scanning report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.