Compare Netsparker and OWASP Zap. How Do I Choose?

One of the most popular comparisons on IT Central Station is Netsparker Web Application Security Scanner vs OWASP Zap.

People like you are trying to decide which one is best for their company. Can you help them out?

Which of these two solutions would you recommend for Application Security? Why?

Thanks for helping your peers make the best decision!


55 Answers

author avatar

Both of the sentences below are true.
In my opinion, Checkmarx is a complement of SonarQube for needs related to security control, and especially if you are challenged to respond to constraints like PCI standards. SonarQube and Checkmarx are well integrated, so you can easily imagine a big picture implying the two products. If a choice between the two solutions has to be done, there are a lot of pros and cons to consider, like SonarQube is more user-friendly, produce fully configurable views of the code quality, is an open platform which offers the capability of writing some plugins, covers languages like COBOL. However CheckMarx covers almost entirely security standards and has an analysis of a whole project (not only a source file), so the analysis is more complete. Moreover, CheckMarx can, with some limits, of course, suggest the best place in the code to fix security issues.
If the aim is to analyze the quality of code source, SonarQube is today a good choice. If you have to focus on security, consider CheckMarx. If you have to do the both, consider them both.

author avatar

Netsparker and Owasp Zap are completely different in their operation.

Netsparker is apt for automated testing of application security for low and medium level findings whereas Owasp Zap is very specific for testing Cross-Site Request Forgery attacks. Whereas Netsparker is a paid iteration whereas Owasp Zap is available for free.

In this situation, I would recommend Netsparker for Application Security testing.

author avatar

ZAP has a good proxy too. Netsparker also has a good proxy but it is a paid product.
also, ZAP has a REST API which people can integrate it to scan web apps.

Overall I think if you are looking for something in opensource ZAP is best and if paid Netsparker is best.

author avatar
Real User

ZAP is free and does a fairly good job...However, it requires manual intervention and lacks many of the features that a commertial tool provides..If cost is not a factor, you should go for Netsparker/ AppScan etc. Alternatively you can start with ZAP and see if it meets your requirement and plan to upgrade accordingly.

author avatar

I could choose Owasp Zap application instead of Nesparker app. The reason is simple, the solutions are very similar but I could do the same things using Zap for free.

If I should pay for a complete tool, I could buy BurpSuite. That tool that could offer me more capabilities and extensions.

Definitely, I would like to choose Owasp Zap (it has a big community behind the project).

Find out what your peers are saying about Netsparker Web Application Security Scanner vs. OWASP Zap and other solutions. Updated: May 2021.
479,894 professionals have used our research since 2012.