OWASP Zap Reviews

Filter by:Reset all filters
industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
rating
Loading...
Filter Unavailable
Vijayanathan Naganathan
Real User
Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd
Jun 21 2019

What is most valuable?

The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool and at the same time give a comprehensive report with great confidence to the client for helping them in their… more»

How has it helped my organization?

We recently ran into an issue where we had to test the OAuth token validation, where the REST API calls had OAuth token change every time a request was being sent. Somebody from the support community had contributed a sample code to… more»

What needs improvement?

OWASP Zap has the award for best token authentication. A lot of applications are getting into this space where there are token barriers. Moreover ZAP Proxy security scans are excellent providing a comprehensive coverage. One area where the… more»

What's my experience with pricing, setup cost, and licensing?

As far as pricing concerns, for value in the commercial solutions when it comes to security testing tools, it is Burp Suite. Some Burp Suite licenses are available for $300 over a 1-year term, which is pocket-friendly for us. We feel that… more»

What other advice do I have?

When people are trying to make use of OWASP Zap, I would advise first read through and understand the OWASP vulnerabilities very well. Then start looking at features, tutorials of the OWASP ZAP Proxy that are made available online. There… more»
Vidar Folden
Consultant
Consultant at Moller
Feb 08 2019

What is most valuable?

Automatic scanning after a manual walkthrough is the most valuable feature.

How has it helped my organization?

This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we are doing large deployments, we might… more»

What needs improvement?

I would like for them to make it easier to understand exactly what has been checked and what has not been checked. We have to trust that it has checked all known… more»

What's my experience with pricing, setup cost, and licensing?

It's free. It's good for us because we don't know what the extent of our use will be yet. It's good to start with something free and easy to use.

If you previously used a different solution, which one did you use and why did you switch?

We tried PortSwigger Burp suite, but only briefly. We have also used IBM AppScan for a while.

What other advice do I have?

I would advise someone considering this solution to try and read about it on internet forums and see if it fits your needs. I would rate this solution an eight out of ten… more»

Which other solutions did I evaluate?

We ran IBM Appscan for a year, but it was expensive and did not deliver more value. Veracode was pretty much the same and cost the same. We then also looked at PortSwigger… more»
Find out what your peers are saying about OWASP , PortSwigger, Acunetix and others in Application Security Testing (AST). Updated: October 2019.
372,374 professionals have used our research since 2012.
GustavoGonzalez
Real User
Program Manager at a manufacturing company with 1,001-5,000 employees
May 02 2018

What is most valuable?

* Interception of proxy traffic * Session comparisons * Port scanner * Fuzzing * Brute force * Cookie management

How has it helped my organization?

Using this tool, it helps enhance and speed the process of covering big applications with many functionalities. It scans while you navigate, then you can save the requests… more»

What needs improvement?

I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields… more»

What's my experience with pricing, setup cost, and licensing?

OWASP ZAP is a free tool provided by OWASP’s engineers and experts. There is an option to donate.

If you previously used a different solution, which one did you use and why did you switch?

OWASP ZAP is one of the solutions that I use. For simple tasks, I use Fiddler. For other advanced techniques, I use the Burp Suite. I would say OWASP ZAP is a really… more»

What other advice do I have?

This is a very mature tool. It is capable of facilitating the work of many security experts. I highly recommend it for beginners and advanced users when some other tools… more»

Which other solutions did I evaluate?

As mentioned, BURP Suite and Fiddler are two other great options. OWASP ZAP excels for what it does and for how smooth and light the tool’s learning curve can be.
Anish Mishra
Real User
Team Lead at a tech services company with 51-200 employees
May 02 2018

What is most valuable?

Fuzzer and Java APIs help a lot with our custom needs.

How has it helped my organization?

We save a significant amount of money on third-party security auditing time. We are also able to minimize most of the security threats for our software prior to releases, thus saving a lot of time on… more»

What needs improvement?

It would be nice to have a solid SQL injection engine built into Zap.

What's my experience with pricing, setup cost, and licensing?

As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out.

What other advice do I have?

I would rate it an eight out of 10, based on the usability and variety of features provided. It is highly customizable in terms of usability and reporting, and all of this is available in a free… more»

Which other solutions did I evaluate?

We evaluated several other packages prior to OWASP Zap, such as Burp Suite and Acunetix. We finally moved to Zap as it is open-source and provides almost all the features and the customization that we… more»
Vinod_Gupta
Real User
CEO and Founder at Indicrypt Systems
Jul 14 2019

What is most valuable?

The most valuable feature is the spidering because, being a security person, it is very important for me to know each and every section of that application, so we cannot afford to miss any single web page or any single link on a particular… more»

What needs improvement?

The automatic scans need improvement. The automated vulnerability assessments that the application performs needs to be simplified as well as diversified.

What's my experience with pricing, setup cost, and licensing?

This app is completely free and open source. So there is no question about any pricing.

If you previously used a different solution, which one did you use and why did you switch?

Yes, we actually use a couple of different products but there is one specifically that we use, which is the Burp Suite.

What other advice do I have?

I would recommend that you should go through the documentation really well. That's it. I would rate this product 8 out of 10.
Associa299191
Real User
Security Testing Engineer at a tech services company with 1,001-5,000 employees
Jul 29 2018

What is most valuable?

The community support that ZAP provides me. As an open source, it provides me flexibility and is convenient to use.

How has it helped my organization?

Every now and then, there is an update. They add new vulnerabilities to the scan list. That is where they just keep on improving.

What needs improvement?

As security evolves, we would like DevOps built into it. As of now, Zap does not provide this. I would like to have more vulnerabilities added to the scan list, because as of now, it covers around 72 to 80. I need more because we need broader coverage.

What other advice do I have?

The community edition updates services regularly. They add new vulnerabilities into the scanning list.
Real User
Senior Manager at a marketing services firm with 10,001+ employees
Jul 14 2019

What is most valuable?

The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information.

What needs improvement?

I'm still in the process of exploring. I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help.

What other advice do I have?

I would rate this solution as 7 out of 10, as I am still in the process of exploring. So far I think it's fine, but I think I still need to explore it a bit further and try to do a more comparative analysis.
Real User
Senior Engineer at a aerospace/defense firm with 10,001+ employees
Jul 31 2019

What do you think of OWASP Zap?

What is our primary use case?

We only tried out the demo to see what the solution offers and how it performs overall business scanning. They also offer open-source projects.

What needs improvement?

There is definitely room for improvement. I prefer Burp Suite to OWASP Zap because of the extensive coverage it offers. I also think it should have an open-source tool. I would also love to see an improvement in visibility.

For how long have I used the solution?

I used OWASP Sap three to four months ago for less than a week.

What do I think about the stability of the solution?

The OWASP Zap solution was very stable during the few days we used it.

What do I think about the scalability of the solution?

The scalability of this product is very good.

What other advice do I have?

See 2 More OWASP Zap Reviews

Articles

User Assessments By Topic About OWASP Zap

Find out what your peers are saying about OWASP , PortSwigger, Acunetix and others in Application Security Testing (AST). Updated: October 2019.
372,374 professionals have used our research since 2012.

OWASP Zap Questions

What is OWASP Zap?

Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.

BUYER'S GUIDE
Download our free Application Security Testing (AST) Report and find out what your peers are saying about OWASP , PortSwigger, Acunetix, and more!
Sign Up with Email