What is our primary use case?
Security/penetration testing of a Java-based Web application which is served over a SaaS platform.
Zap has been integrated as one of the important tools in our QA cycle. All beta releases of our software go through Zap scanning. Custom reports are generated - they are pretty decent and standardized - and are submitted to upper management for auditing by a third-party.
How has it helped my organization?
We save a significant amount of money on third-party security auditing time.
We are also able to minimize most of the security threats for our software prior to releases, thus saving a lot of time on security fixes and post-release path builds.
What is most valuable?
Fuzzer and Java APIs help a lot with our custom needs.
What needs improvement?
It would be nice to have a solid SQL injection engine built into Zap.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
No stability issues for us, so far.
What do I think about the scalability of the solution?
No major problems in terms of the scalability of the software.
How is customer service and technical support?
Community support and documentation are good.
How was the initial setup?
Setup of Zap is relative easy and straightforward for any technical person, with good documentation to configure it according to your needs.
What's my experience with pricing, setup cost, and licensing?
As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out.
Which other solutions did I evaluate?
We evaluated several other packages prior to OWASP Zap, such as Burp Suite and Acunetix. We finally moved to Zap as it is open-source and provides almost all the features and the customization that we need.
What other advice do I have?
I would rate it an eight out of 10, based on the usability and variety of features provided. It is highly customizable in terms of usability and reporting, and all of this is available in a free solution.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
May 02 2018