OWASP Zap Room for Improvement

Vijayanathan Naganathan
Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd
OWASP Zap has the award for best token authentication. A lot of applications are getting into this space where there are token barriers. Moreover ZAP Proxy security scans are excellent providing a comprehensive coverage. One area where the tool can be improved is specifically, if there's some more intelligence that can be added on to the reporting feature, it would be great. There's some element of intelligence that can be built into it as to how reports can be generated. Currently, there are only a few ways, i.e. a couple of templates with which you can generate these reports. If there are additional templates that could be put in place, the reports would come out very well, and we'd be able to edit it along reading the report. That could be good for us to make it through. Because that is an area that we've seen typically, where it's common in the other tools. We run the test. We run the scans. We do the vulnerability assessment, analyze their impacts and then we generate the report. There's the element of documentation that we need to create along with that. If there is a provision to enter inputs like below as part of report generation: * Project information * Client name * Organization name * Platform against which this test has been done If these small inputs can be handled, at the end of the report, I would have a customized report which I could easily give across to the customer. Today it's this is something not easily available in not at that level in the tool. In the reporting presentation format, Acunetix tool has a much better "look and feel" appearance. The clients love it when we do it in that. View full review »
Vidar Folden
Consultant at Moller
I would like for them to make it easier to understand exactly what has been checked and what has not been checked. We have to trust that it has checked all known vulnerabilities on all parts of the webapp, but it's a bit hard to see that after scanning. I would also like for them to develop graphical reports on the scan. Based on the log, some graphical drawing could show what part of the site has been tested. I would like to see that it has tested everything that we wanted to test. View full review »
Program Manager at a manufacturing company with 1,001-5,000 employees
I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word list, or manually created. View full review »
Find out what your peers are saying about OWASP , PortSwigger, Acunetix and others in Application Security Testing (AST). Updated: January 2020.
398,050 professionals have used our research since 2012.
Anish Mishra
Team Lead at a tech services company with 51-200 employees
It would be nice to have a solid SQL injection engine built into Zap. View full review »
CEO and Founder at Indicrypt Systems
The automatic scans need improvement. The automated vulnerability assessments that the application performs needs to be simplified as well as diversified. View full review »
Security Testing Engineer at a tech services company with 1,001-5,000 employees
As security evolves, we would like DevOps built into it. As of now, Zap does not provide this. I would like to have more vulnerabilities added to the scan list, because as of now, it covers around 72 to 80. I need more because we need broader coverage. View full review »
Senior Manager at a marketing services firm with 10,001+ employees
I'm still in the process of exploring. I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help. View full review »
Senior Engineer at a aerospace/defense firm with 10,001+ employees
There is definitely room for improvement. I prefer Burp Suite to OWASP Zap because of the extensive coverage it offers. I also think it should have an open-source tool. I would also love to see an improvement in visibility. View full review »
Dittin A
Staff Scientist/Senior Tech. Officer at a tech vendor with 501-1,000 employees
It needs more robust reporting tools that can be in an editable form. View full review »
Krystian Przybyl
The port scanner and Zap could not send a request several times, but this has been corrected. View full review »
Find out what your peers are saying about OWASP , PortSwigger, Acunetix and others in Application Security Testing (AST). Updated: January 2020.
398,050 professionals have used our research since 2012.