We compared Veracode and OWASP Zap across several parameters based on our user's reviews. After reading the collected data, you can find our conclusion below:
Based on the user reviews, Veracode is the preferred product over OWASP Zap. However, if you have a limited budget and technical expertise for setup and customization, go for OWASP ZAP. If you prioritize ease of use, a cloud-based solution, and you require a broader range of security functionalities beyond just vulnerability scanning, choose Veracode.
"The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool."
"It can be used effectively for internal auditing."
"Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."
"It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."
"The API is exceptional."
"It updates repositories and libraries quickly."
"The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information."
"Automatic updates and pull request analysis."
"Veracode offers various security features."
"The automation of Veracode is great because we no longer have to run manual testing."
"The coding standards in our development group have improved. From scanning our code we've learned the patterns and techniques to make our code more secure. An example would be SQL injection. We have mitigated all the SQL injection in our applications."
"With the pipeline scanner, it's easier for developers to scan their products, as they don't have to export anything from their computers. They can do everything with the command line on their computer."
"The dynamic scanning tool is what I like the best. Compared to other tools that I've used for dynamic scanning, it's much faster and easier to use."
"The coverage of backdoors attacks on security that's the most valuable for my clients."
"Veracode is easy to use even if you're not a security professional. I like the dynamic analysis feature, which offers a lot of cost savings when used in production."
"One of the valuable features is that it gives us the option of static scanning. Most tools of this type are centered around dynamic scanning. Having a static scan is very important."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word list, or manually created."
"The forced browse has been incorporated into the program and it is resource-intensive."
"Too many false positives; test reports could be improved."
"I prefer Burp Suite to SWASP Zap because of the extensive coverage it offers."
"The automated vulnerability assessments that the application performs needs to be simplified as well as diversified."
"The port scanner is a little too slow."
"The product reporting could be improved."
"I would like to see these features: entering comments for internal tracking; entering a priority; reports that show the above."
"There is much to be desired of UI and user experience. The UI is very slow. With every click, it just takes a lot of time for the pages to load. We have seen this consistently since getting this solution. The UI and UX are very disjointed."
"The only areas that I'm concerned with are some of the newer code libraries, things that we're starting to see people dabble with. They move quickly enough to get them into the Analysis Engine, so I wouldn't even say it is a complaint. It is probably the only thing I worry about: Occasionally hitting something that is built in some other obscure development model, where we either can't scan it or can't scan it very well."
"Veracode should include the feature to run multiple scales at a time."
"The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it."
"The current version of the application does not support testing for API."
"It's problematic if you want to integrate it with your pipelines because the documentation is not so well written and it's full of typos. It is not presented in a structured way. It does not say, "If you want to achieve this particular thing, you have to do steps 1, 2, and 3." Instead, it contains bits of information in different parts, and you have to read everything and then understand the big picture."
"We connected with Veracode's support a couple of times, and we got a different answer each time."
Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.
OWASP Zap is ranked 8th in Application Security Testing (AST) with 13 reviews while Veracode is ranked 2nd in Application Security Testing (AST) with 101 reviews. OWASP Zap is rated 7.6, while Veracode is rated 8.2. The top reviewer of OWASP Zap writes "Stable dynamic testing solution with unreliable manual processes". On the other hand, the top reviewer of Veracode writes "Great SAST, good DAST, and helps save a significant amount of time". OWASP Zap is most compared with SonarQube, PortSwigger Burp Suite Professional, Acunetix, Qualys Web Application Scanning and Checkmarx, whereas Veracode is most compared with SonarQube, Checkmarx, Snyk, Fortify on Demand and Fortify Static Code Analyzer. See our OWASP Zap vs. Veracode report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.