We compared Veracode and OWASP Zap across several parameters based on our user's reviews. After reading the collected data, you can find our conclusion below:
Based on the user reviews, Veracode is the preferred product over OWASP Zap. However, if you have a limited budget and technical expertise for setup and customization, go for OWASP ZAP. If you prioritize ease of use, a cloud-based solution, and you require a broader range of security functionalities beyond just vulnerability scanning, choose Veracode.
"We use the solution for security testing."
"The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool."
"The solution is good at reporting the vulnerabilities of the application."
"Automatic updates and pull request analysis."
"The application scanning feature is the most valuable feature."
"The scalability of this product is very good."
"The HUD is a good feature that provides on-site testing and saves a lot of time."
"ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube."
"The recommendations and frequent updates are the most valuable features of Veracode."
"The deployment mode is very useful."
"Our development team use this solution for static code analysis and pen testing."
"We use it to get our scan results and see where our software is vulnerable or not vulnerable."
"The source composition analysis had very good reporting."
"To me, the principal feature is the CLI (command-line interface) because I put together a lot of implementations using it. Another important aspect is the low false-positive rate because the solution is very configurable. It is as low as 1 percent and that is a huge difference compared to competitors."
"I liked that I could easily find out where my errors were. Instead of going through the whole code and the scripts, it showed me where the errors were and gave me an idea of how to fix them."
"The ability on static scans to be able to do sandbox scans which do not generate metrics."
"There's very little documentation that comes with OWASP Zap."
"The solution is unable to customize reports."
"They stopped their support for a short period. They've recently started to come back again. In the early days, support was much better."
"Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation."
"It would be a great improvement if they could include a marketplace to add extra features to the tool."
"It doesn't run on absolutely every operating system."
"As security evolves, we would like DevOps built into it. As of now, Zap does not provide this."
"It needs more robust reporting tools."
"There are times when certain modules cannot be scanned automatically, requiring us to manually select these modules and initiate the scanning process on our side."
"We have some constraints interacting with Veracode self-support. I'm not talking about their technical support. I'm talking about self-support. We sometimes have a hard time communicating with them."
"It's very expensive for a small organization."
"Veracode should make it easier to navigate between the solutions that they offer, i.e. between dynamic, static, and the source code analysis."
"If Veracode was more diversified, as far as the number of platforms and the number of applications it could do in our favor, we would be using it even more. But there are a number of platforms it doesn't support. For example, I know they support C+, .NET, and Java, but there are certain platforms they don't support and that was disappointing."
"To be able to upload source codes without being compiled. That’s one feature that drives us to see other sources."
"The scanning could be improved, because some scans take a bit of time."
"Sometimes, the scans halt or drop for some reason, and we need to get help from Veracode to fix it."
OWASP Zap is ranked 8th in Application Security Testing (AST) with 37 reviews while Veracode is ranked 2nd in Application Security Testing (AST) with 194 reviews. OWASP Zap is rated 7.6, while Veracode is rated 8.2. The top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". OWASP Zap is most compared with SonarQube, Acunetix, PortSwigger Burp Suite Professional, Qualys Web Application Scanning and Checkmarx One, whereas Veracode is most compared with SonarQube, Checkmarx One, Snyk, Fortify on Demand and Fortify Static Code Analyzer. See our OWASP Zap vs. Veracode report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.