OWASP Zap Review

Provides good automatic scanning and privacy; reporting could be improved

What is our primary use case?

We are using this product at a very basic level to scan reports and then share them with the Dev team for any vulnerabilities. We use the open source version and we are end users. 

How has it helped my organization?

The solution has improved company functioning to a certain extent, but it takes a lot of time coordinating with the Dev team because we are using the open source version and not the enterprise version. It's not an awesome solution but we do get the reports we need and there is a good amount of documentation and support. 

What is most valuable?

The automatic scanning is a valuable feature and very easy. The major advantage to this solution is the privacy it offers. We are able to achieve our objectives to some extent, but only for non-business critical applications.

What needs improvement?

The reporting format could be improved. There is no output, it's cluttered and it's a very, very long report. It would be better if it were in PDF format with a short description, some findings, color coding, and easy to read. What we do now is analyze the HTML report and then rewrite our own shorter reports. I work for a Japanese company and they want the important information to show up. The reports do not really give us recommendations or the points where the vulnerability is coming from so I'd really like to see an improvement in the condition of reports. We should be able to call an API from somewhere and scan applications.

For how long have I used the solution?

I've been using this solution for about one year. 

What do I think about the stability of the solution?

The product is not that stable and sometimes I have to re-install it and contact the internal IT team. I don't have the admin rights on the laptop. Some features can break down, for example, the browser on the scanning might not open. Slowly our team will be moving towards more critical projects coming from the U.S., Japan and India, so we are definitely planning to upscale. In the next financial year, we're planning to upscale and make it more rigorous.

How are customer service and technical support?

We are using the open source version so we have no technical support for now.

How was the initial setup?

The installation is very simple. It's just an executable file because for now, we are not using it as a part of CACD or anything else. We have just installed the open source version on the laptop which has simplified things; our toolbox opens up and we just give the URL and it does an automatic scan. So information wise and operational wise, it is easy now. Our team carried out the deployment by first reading, watching videos and taking various courses. We had help from the company security team.

Which other solutions did I evaluate?

I carried out an evaluation between Checkmarx and OWASP Zap.

What other advice do I have?

If you are working in a very big gaming company and you have the budget, then I'd suggest switching to the enterprise version because the open source version takes time to resolve the regulations and there are sometimes false positives. It takes a lot of effort to figure out how to resolve the vulnerability and then search the same thing in the code. If you're not from the development team, then a lot of coordination is required. Without any support, we are in a black hole sometimes. Some attacks can be very dangerous for the company and for the application. They create delays and I've had to learn how to deal with that. 

I rate this solution a six out of 10.

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More OWASP Zap reviews from users
...who work at a Computer Software Company
...who compared it with Veracode
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: September 2021.
534,226 professionals have used our research since 2012.
Add a Comment
ITCS user