Don RobbinsSoftware Configuration Manager at a tech vendor
PiyushSharmaTechnical Specialist(DevOps) at a tech services company
We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
"The main benefit to using this solution is that we find vulnerabilities in our software before the development cycle is complete."
"Our static operation security has been able to identify more security issues since implementing this solution."
"Overall, the ability to find vulnerabilities in the code is better than the tool that we were using before."
"The most valuable features are the easy to understand interface, and it 's very user-friendly."
"The solution is always updating to continuously add items that create a level of safety from vulnerabilities. It's one of the key features they provide that's an excellent selling point. They're always ahead of the game when it comes to finding any vulnerabilities within the database."
"The user interface is excellent. It's very user friendly."
"The most valuable feature is the simple user interface."
"The reports are very good because they include details on the code level, and make suggestions about how to fix the problems."
"The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool."
"The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information."
"The scalability of this product is very good."
"Automatic updates and pull request analysis."
"Simple to use, good user interface."
"The interface is easy to use."
"The solution is good at reporting the vulnerabilities of the application."
"The stability of the solution is very good."
"The reports are good, but they still need to be improved considering what the UI offers."
"It would be really helpful if the level of confidence was included, with respect to identified issues."
"Checkmarx being Windows only is a hindrance. Another problem is: why can't I choose PostgreSQL?"
"We have received some feedback from our customers who are receiving a large number of false positives."
"In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now."
"The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated."
"I would like to see the rate of false positives reduced."
"You can't use it in the continuous delivery pipeline because the scanning takes too much time."
"There's very little documentation that comes with OWASP Zap."
"The automated vulnerability assessments that the application performs needs to be simplified as well as diversified."
"I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help."
"I prefer Burp Suite to SWASP Zap because of the extensive coverage it offers."
"Deployment is somewhat complicated."
"Too many false positives; test reports could be improved."
"The documentation needs to be improved because I had to learn everything from watching YouTube videos."
"It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."
"We have a subscription license that is on a yearly basis, and it's a pretty competitive solution."
"This solution is expensive. The customized package allows you to buy additional users at any time."
"It's relatively expensive."
"The interface used to create custom rules comes at an additional cost."
"The number of users and coverage for languages will have an impact on the cost of the license."
"Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive."
"OWASP Zap is free to use."
"This app is completely free and open source. So there is no question about any pricing."
"This is an open-source solution and can be used free of charge."
Checkmarx CxSAST is a highly accurate and flexible Static Code Analysis product that allows organizations to automatically scan un-compiled / un-built code and identify hundreds of security vulnerabilities in all major coding languages. CxSAST is available as a standalone product and can be effectively integrated into the Software Development Lifecycle (SDLC) to streamline detection and remediation. CxSAST can be deployed on-premise in a private data center or hosted via a public cloud.
Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.
Checkmarx is ranked 2nd in Application Security Testing (AST) with 19 reviews while OWASP Zap is ranked 6th in Application Security Testing (AST) with 10 reviews. Checkmarx is rated 7.8, while OWASP Zap is rated 7.4. The top reviewer of Checkmarx writes "Works well with Windows servers but no Linux support and takes too long to scan files". On the other hand, the top reviewer of OWASP Zap writes "Inexpensive licensing, free to use, and has good community support". Checkmarx is most compared with SonarQube, Veracode, Micro Focus Fortify on Demand, Coverity and Sonatype Nexus Lifecycle, whereas OWASP Zap is most compared with PortSwigger Burp Suite Professional, Acunetix Vulnerability Scanner, Veracode, Qualys Web Application Scanning and Netsparker Web Application Security Scanner. See our Checkmarx vs. OWASP Zap report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.