What is our primary use case?
I focus on software application security. In most of the scenarios that we come across, the customers want complete assurance on security of their platforms/products/applications. Clients reach out to us for our abilities to unearth security issues.
I get to use these tools to assess products/platforms before they go live to the market.
How has it helped my organization?
We recently ran into an issue where we had to test the OAuth token validation, where the REST API calls had OAuth token change every time a request was being sent. Somebody from the support community had contributed a sample code to accomplish this. In terms of the community support that is available, OWASP Zap has great set of features to use.
What is most valuable?
The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool and at the same time give a comprehensive report with great confidence to the client for helping them in their go-live decision. In terms of technical supremacy, I would put PortSwigger's Burp Suite ahead in terms of the ease with which I can retry the request with different combinations or conduct different attacks.
What needs improvement?
OWASP Zap has the award for best token authentication. A lot of applications are getting into this space where there are token barriers. Moreover ZAP Proxy security scans are excellent providing a comprehensive coverage.
One area where the tool can be improved is specifically, if there's some more intelligence that can be added on to the reporting feature, it would be great.
There's some element of intelligence that can be built into it as to how reports can be generated. Currently, there are only a few ways, i.e. a couple of templates with which you can generate these reports. If there are additional templates that could be put in place, the reports would come out very well, and we'd be able to edit it along reading the report.
That could be good for us to make it through. Because that is an area that we've seen typically, where it's common in the other tools. We run the test. We run the scans. We do the vulnerability assessment, analyze their impacts and then we generate the report.
There's the element of documentation that we need to create along with that. If there is a provision to enter inputs like below as part of report generation:
- Project information
- Client name
- Organization name
- Platform against which this test has been done
If these small inputs can be handled, at the end of the report, I would have a customized report which I could easily give across to the customer.
Today it's this is something not easily available in not at that level in the tool. In the reporting presentation format, Acunetix tool has a much better "look and feel" appearance. The clients love it when we do it in that.
For how long have I used the solution?
We have been using OWASP Zap for more than eight months.
What do I think about the stability of the solution?
The only place that I faced issues with the OWASP was testing for a large broadcasting company. The number of requests that come forward is quite large. When the requests are quite huge, we found that ZAP Proxy tool tends to be a little more slow to respond. We're not sure whether it's progressing at the background or whether the application is frozen. We have faced the encounter when we are sending in large payloads, i.e. the multiple requests pull through defensive issues there.Other than that we have not seen significant issue with the tool.
What do I think about the scalability of the solution?
Currently, we have three of us who have been using the OWASP Zap proxy tool. There are times when we even propose this ZAP proxy tool to customers. Sometimes, we get requests from clients who want us to use a specific solution like Acunetix, BurpSuite.
For the choice of which tool to use in the long run, the decision is driven by the customers. When customers ask us for a tool recommendation, we do a security tool comparison analysis, and make a recommendation that best suits them, explaining the pros and cons of each tools. i.e when you use a solution like OWASP Zap versus going on with a tool like Burp Suite or Acunetix.
How are customer service and technical support?
For OWASP, I've been only looking at their community, but I felt that PortSwigger has much better tech support. In terms of community support, OWASP Zap is very much there.
For example, we expected PortSwigger to have OAuth token to be available by default, but that was not on their product road map. Fortunately for us, we had somebody from the community who had created several extensions which were a great help to us.
In terms of product support, I would say, Port Swigger support has been very good.
How was the initial setup?
The initial setup of OWASP Zap was straightforward. That's not an issue at all with OWASP.
What's my experience with pricing, setup cost, and licensing?
As far as pricing concerns, for value in the commercial solutions when it comes to security testing tools, it is Burp Suite. Some Burp Suite licenses are available for $300 over a 1-year term, which is pocket-friendly for us. We feel that PortSwigger Burp Suite is the best value for the money that we get. When it comes to clients looking for non-commerical licenses, OWASP Zap tool is the best fit.
What other advice do I have?
When people are trying to make use of OWASP Zap, I would advise first read through and understand the OWASP vulnerabilities very well. Then start looking at features, tutorials of the OWASP ZAP Proxy that are made available online.
There are a lot of YouTube videos, articles in the internet that talk about how to use the tools. These are quite easy to understand. Do a small POC. Pick an application which is already having vulnerabilities and assess the application around with the ZAP Proxy tool.
In terms of ZAP Proxy tool ease of use, I would rate it nine out of ten.
Which version of this solution are you currently using?