We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
"It is scalable and very easy to use."
"The accuracy of its scans is great."
"The user interface is ok and it is very simple to use."
"The solution is able to detect a wide range of vulnerabilities. It's better at it than other products."
"The most valuable feature is the static analysis."
"Reporting, centralized dashboard, and bird's eye view of all vulnerabilities are the most valuable features."
"The solution is easy to use."
"They offer free access to some other tools."
"It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."
"The stability of the solution is very good."
"Simple to use, good user interface."
"The solution is scalable."
"The interface is easy to use."
"The solution is good at reporting the vulnerabilities of the application."
"Automatic scanning is a valuable feature and very easy to use."
"The scanner could be better."
"Our biggest complaint about this product is that it freezes up, and literally doesn't work for us."
"Creating reports is very slow and it is something that should be improved."
"It requires improvement in terms of scanning. The application scan heavily utilizes the resources of an on-premise server. 32 GB RAM is very high for an enterprise web application."
"It took us between eight and ten hours to scan an entire site, which is somewhat slow and something that I think can be improved."
"Lately, we've seen more false negatives."
"The installation could be a bit easier. Usually it's simple to use, but the installation is painful and a bit laborious and complex."
"The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."
"The documentation needs to be improved because I had to learn everything from watching YouTube videos."
"Too many false positives; test reports could be improved."
"It would be a great improvement if they could include a marketplace to add extra features to the tool."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."
"Reporting format has no output, is cluttered and very long."
"Deployment is somewhat complicated."
"Our licensing is such that you can only run one scan at a time, which is inconvenient."
"Its price is almost similar to the price of AppScan. Both of them are very costly. Its price could be reduced because it can be very costly for unlimited IT scans, etc. I'm not sure, but it can go up to $40,000 to $50,000 or more than that."
"The pricing is not clear and while it is not high, it is difficult to understand."
"This solution is open source and free."
"This is an open-source solution and can be used free of charge."
Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.
Fortify WebInspect is ranked 11th in Application Security Testing (AST) with 7 reviews while OWASP Zap is ranked 6th in Application Security Testing (AST) with 9 reviews. Fortify WebInspect is rated 7.0, while OWASP Zap is rated 7.0. The top reviewer of Fortify WebInspect writes "Good reporting and vulnerability management, but needs better performance and resource utilization". On the other hand, the top reviewer of OWASP Zap writes "Great at reporting vulnerabilities, helps with security, and reveals development threats well". Fortify WebInspect is most compared with PortSwigger Burp Suite Professional, Micro Focus Fortify on Demand, Veracode, HCL AppScan and Acunetix by Invicti, whereas OWASP Zap is most compared with PortSwigger Burp Suite Professional, Veracode, Acunetix by Invicti, Qualys Web Application Scanning and Netsparker by Invicti. See our Fortify WebInspect vs. OWASP Zap report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.