OWASP Zap Review

API Is Exceptional. Documentation needs some love

What is most valuable?

The API is exceptional.

How has it helped my organization?

I can provide examples of how OWASP Zed Attack Proxy (ZAP) has been used inside many of my customer's environments. I've set up Security Regression testing using the ZAP API and written about how this is done in my first book.

I've also spoken and run many pieces of training on setting up Security Regression testing with the ZAP API.

What needs improvement?

The documentation is lacking and out-of-date, it really needs more love. This is a common scenario with developers running many open-source projects. The community is trying to help with this. I've done my part with providing details on how to use the ZAP API for Security Regression testing. I think ZAP is now sponsored by the Linux Foundation.

For how long have I used the solution?

I have used this solution for around six to seven years.

What do I think about the stability of the solution?

There were no stability issues, it has been in production-ready for a long time.

What do I think about the scalability of the solution?

There were no scalability issues, ZAP is a very fully featured HTTP intercepting proxy with many types of attacks targeting a plethora of known vulnerabilities. The OWASP Top 10 receives good coverage with ZAP. The REST API scales as far as you have resources. ZAP also has a docker image.

How are customer service and technical support?

Technical support is excellent. The maintainers have gone well beyond what would be expected of any open-source project maintainers. They have personally worked with my customer projects to help on some of the issues we had with some legacy HTTP applications that had communications that were difficult to reason about. ZAP was not at fault at all, but the maintainers were very passionate about making sure I got the security regression system working well.

Which solution did I use previously and why did I switch?

I've used many HTTP intercepting proxies, ZAP is one of the few that has an excellent API to program against. Using ZAP manually is also very fully featured.

How was the initial setup?

Using the API was initially difficult to set-up, not because the API was difficult, but working out the incantations that needed to be sent. You can see these in my code.

What's my experience with pricing, setup cost, and licensing?

It's free and open, currently under the Apache 2 license. If ZAP does what you need it to do, selling a free solution is a very easy.

Which other solutions did I evaluate?

I've been evaluating all the well-known HTTP intercepting proxies for years, as I have mentioned earlier, ZAP is the only one that has a fully featured REST API. It also has API clients written in many languages.

What other advice do I have?

Don't re-implement it, just use it.

It's an excellent solution, i.e., driven by committed and passionate security focussed developers.

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More OWASP Zap reviews from users
...who work at a Computer Software Company
...who compared it with PortSwigger Burp
Add a Comment