OWASP Zap Review

Has made us feel safer doing frequent deployments for web applications and has a plug-in into every major system

What is our primary use case?

Our primary use case of this solution is to scan and check that the applications we put on the internet are safe and secure.

How has it helped my organization?

This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we are doing large deployments, we might get a professional security partner in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes the process easier and safer.

What is most valuable?

Automatic scanning after a manual walkthrough is the most valuable feature. 

What needs improvement?

I would like for them to make it easier to understand exactly what has been checked and what has not been checked. We have to trust that it has checked all known vulnerabilities on all parts of the webapp, but it's a bit hard to see that after scanning. 

I would also like for them to develop graphical reports on the scan. Based on the log, some graphical drawing could show what part of the site has been tested. I would like to see that it has tested everything that we wanted to test.

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?


What do I think about the scalability of the solution?

In terms of scalability, I only tried it on small applications, so I don't know, but it seems very quick. We have plans to increase usage and to also support APIs and not just the applications. All applications that will be exposed to the internet are scanned. The ones that are used internally, in the organization, are not scanned at this point in time.

How are customer service and technical support?

I never had to reach out to their technical support. The internet forums are great. There's so much open information on the internet so you don't really need much else. 

Which solution did I use previously and why did I switch?

We tried PortSwigger Burp suite, but only briefly. We have also used IBM AppScan for a while.

How was the initial setup?

The initial setup was straightforward. We didn't have to do much. There was an easy to follow guide online and there was not much to do other than to follow a straightforward tutorial. Deployment took around an hour. 

What about the implementation team?

I implemented it myself. 

What's my experience with pricing, setup cost, and licensing?

It's free. It's good for us because we don't know what the extent of our use will be yet. It's good to start with something free and easy to use.

Which other solutions did I evaluate?

We ran IBM Appscan for a year, but it was expensive and did not deliver more value. Veracode was pretty much the same and cost the same. We then also looked at PortSwigger Burp Suite Pro, which is at a better price point and a very good expert tool. Though at this point in time, given our needs, it does not seem to give us any advantage over ZAP. Also, the forums and the internet community is excellent on ZAP and it's free.

What other advice do I have?

I would advise someone considering this solution to try and read about it on internet forums and see if it fits your needs.

I would rate this solution an eight out of ten. It does what it says it will do and it's not hard to set up. It is also easy to use both automatically and manually and has a plug-in into every major build-tool, like Jenkins , Gitlab and others. You can automate it through a building process.

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More OWASP Zap reviews from users
...who work at a Computer Software Company
...who compared it with PortSwigger Burp
Add a Comment