What is most valuable?
- Very good open source security tool supporting the top 10 vulnerabilities (Injections, Session Management, XSS, Authentication, Authorization, etc.).
- Simple and easy to learn and master.
- Good online product documentation.
- Built in features include: Intercepting proxy, Plug and Hack support, Automated scanning, Passing scan, Fuzzer, Traditional and Ajax Crawling and Web Socket support and so on.
- Detailed reporting mechanism.
- The tool has been translated in 25 different languages.
- Can be executed through GUI, command line and also in Daemon mode with the help of REST API.
- Very good API support for automating security tests.
- Supports multiple platforms like Mac, Linux and Windows.
- It's easy to create add-ons and extensions to scale up the features of the tool.
How has it helped my organization?
We have leveraged our existing functional tests for security testing by integrating web driver scripts with the OWASP ZAP tool.
What needs improvement?
Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation.
For how long have I used the solution?
What was my experience with deployment of the solution?
Did not encounter any issues. It's easy to install and configure.
What do I think about the stability of the solution?
So far I am very comfortable and did not find any stability related issues.
What do I think about the scalability of the solution?
It is scalable, by creating new extensions and add-ons for the tool. But we faced a couple of challenges initially which were solved with the help of online documentation
How are customer service and technical support?
4/10 Technical Support
Which solution did I use previously and why did I switch?
How was the initial setup?
It is very simple to install and configure.
What about the implementation team?
We have implemented this with the in-house team support.
What was our ROI?
Instead of creating a new framework for security tests, it helped us to leverage (reuse) existing functional test automation framework for security tests. This reduces lot of rework.
What's my experience with pricing, setup cost, and licensing?
It is highly recommended as it is an open source tool.
Which other solutions did I evaluate?
No, we are happy with the features provided with this tool, but if you want to go with static code analysis for security tests, we need to find a different option here.
What other advice do I have?
Very good and useful tool for security testing and penetrations testers.