OWASP Zap Review

Finds Vulnerabilities And Gives The Latest Attacks And How To Protect Against Them

What is most valuable?

The vulnerabilities that it finds, because the primary goal is to secure applications and websites.

How has it helped my organization?

When I checked the CVE and MITRE databases, that gives the latest attacks that are out there for a particular software, hardware and how to protect against it.

What needs improvement?

It's possibly just a limitation of the product itself but sometimes it won't scan a particular website so you have to manually go in and make some configuration changes.

Also, it needs to have more feeds such as from the Darknet, RSS or intelligence like US-CERT, or some of those like NISTs or other standing bodies because right now it's got some CVEs in there but there's more to it than just that. So if it could tie into those, somehow, so you could do some research, like a "research tab" under tools and some one-click access to those forums and feeds.

In addition, it doesn't run on absolutely every operating system.

For how long have I used the solution?

Five years.

What do I think about the stability of the solution?

As far as stability goes, perhaps if you're running it in a Kali Linux virtual machine, sometimes it doesn't close out right away so I don't know if it takes too much time to flush that RAM out. It won't crash but it will lag. On Windows, it'll just close right away.

What do I think about the scalability of the solution?

Not at this point. Normally I just play with it on Windows but lately I've been using it on Kali.

How are customer service and technical support?

I haven't used it. If I have a question I'll just Google it.

Also, if you go into a forum, while that's kind of like calling a human, you're really not. It's a very well developed and very mature forum with a lot of people from different organizations all over the world, so it's top notch.

Which solution did I use previously and why did I switch?

I use a lot of different tools, the right tool for the job. Burp Suite, IBM Security AppScan, InMap, NIKTO, Wpscan. Depending on what you find, you might have to use better tools so OWASP Zap. I don't know if it's copyright infringement or not, given that it's open source, but it's possible they could build someone else's tools into the GUI of OWASP Zap. As the months and years go by, you'll probably see more features in there.

I'd have to say Burp Suite Pro, which is the licensed, paid-for version, is better but that's just because it's got more funding.

How was the initial setup?

If you're talking about Kali, which is the Linux Pentesting operating system, it comes built in. The only thing you have to do is update it from time to time and you can automate that with like a cron or a script. With Windows you have to download it manually, install it manually and check for updates.

Which other solutions did I evaluate?

Burp Suite. It's part of the pool in terms of the tools that do the job, whether they're free or commercially based. So Burp Suite and Nikto, and WPScan, that's for WordPress. They're all website security checkers per se, but they're not all created equal, some are specialized for certain things.

What other advice do I have?

If you're a company and you've got your own websites, internally and externally, it's great. It's a great free, open source tool to get your security staff and even your web developers to use it. If you already have a mature SDLC framework in place or web development, then maybe you should get even maybe more serious and buy the Burp Suite Professional license or other tools out there like Acunetix.

But overall I think it's a great product. It finds, I'd say, 90% if not more of the things that it needs to and helps you remediate any security findings.

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More OWASP Zap reviews from users
...who work at a Computer Software Company
...who compared it with PortSwigger Burp
Add a Comment