We performed a comparison between Fortify on Demand, OWASP Zap, and PortSwigger Burp Suite Professional based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Testing (AST)."The solution saves us a lot of money. We're trying to reduce exposure and costs related to remediation."
"Fortify on Demand is easy to use and the reporting is good."
"One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that."
"Being able to reduce risk overall is a very valuable feature for us."
"Once we have our project created with our application pipeline connected to the test scanning, it only takes two minutes. The report explaining what needs to be modified related to security and vulnerabilities in our code is very helpful. We are able to do static and dynamic code scanning."
"The feature that I find the most useful is being able to just see the vulnerabilities online while checking the code and then checking suggestions for fixing them."
"The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira."
"It helps deploy and track changes easily as per time-to-time market upgrades."
"The product helps users to scan and fix vulnerabilities in the pipeline."
"The solution is good at reporting the vulnerabilities of the application."
"The ZAP scan and code crawler are valuable features."
"It scans while you navigate, then you can save the requests performed and work with them later."
"Simple to use, good user interface."
"It's great that we can use it with Portswigger Burp."
"The stability of the solution is very good."
"The solution has tightened our security."
"It is a time-saver application."
"It was easy to learn."
"Once I capture the proxy, I'm able to transfer across. All the requested information is there. I can send across the request to what we call a repeater, where I get to ready the payload that I send to the application. Put in malicious content and then see if it's responding to it."
"You can scan any number of applications and it updates its database."
"It helps in API testing, where manual intervention was previously necessary for each payload."
"The most valuable feature is the application security. It also has a reasonable price."
"The solution has a limited range of functions, which is good for small companies. This is because, in small companies, websites are less complex. They also have single services which makes the solution good enough for them. However, the most advantageous aspect of the solution is its affordable price."
"The reporting part is the most valuable. It also has very good features. We use almost all of the features for different kinds of customers and needs."
"The reporting capabilities need improvement, as there are some features that we would like to have but are not available at the moment."
".NET code scanning is still dependent on building the code base before running any scan. Also, it's dependent on an IDE such as Visual Studio."
"The Visual Studio plugin seems to hang when a scan is run on big projects. I would expect some improvements there."
"An improvement would be the ability to get vulnerabilities flowing automatically into another system."
"It's still a little bit too complex for regular developers. It takes a little bit more time than usual. I know static code scan is not the main focus of the tool, but the overall time span to scan the code, and even to set up the code scanning, is a bit overwhelming for regular developers."
"There's a bit of a learning curve. Our development team is struggling with following the rules and following the new processes."
"If you have a continuous integration in place, for example, and you want it to run along with your build and you want it to be fast, you're not going to get it. It adds to your development time."
"Takes up a lot of resources which can slow things down."
"The reporting feature could be more descriptive."
"I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help."
"The forced browse has been incorporated into the program and it is resource-intensive."
"The port scanner is a little too slow."
"It would be nice to have a solid SQL injection engine built into Zap."
"OWASP Zap needs to extend to mobile application testing."
"There's very little documentation that comes with OWASP Zap."
"The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time."
"You can have many false positives in Burp Suite. It depends on the scale of the penetration testing."
"Mitigating the issues and low confluence issues needs some improvement. Implementing demand with the ChatGPT under the web solution is an additional feature I would like to see in the next release."
"I would like to see the return of the spider mechanism instead of the crawling feature. Burp Suite's earlier version 1.7 had an excellent spider option, and it would be beneficial if Burp incorporated those features into the current version. The crawling techniques used in the current version are not as efficient as those used in earlier versions."
"There could be an improvement in the API security testing. There is another tool called Postman and if we had a built-in portal similar to Postman which captures the API, we would be able to generate the API traffic. Right now we need a Postman tool and the Burp Suite for performing API tests. It would be a huge benefit to be able to do it in a single UI."
"Currently, the scanning is only available in the full version of Burp, and not in the Community version."
"If your application uses multi-factor authentication, registration management cannot be automated."
"The Burp Collaborator needs improvement. There also needs to be improved integration."
"The biggest improvement that I would like to see from PortSwigger that today many people see as an issue in their testing. There might be a feature which might be desired."
More PortSwigger Burp Suite Professional Pricing and Cost Advice →