2018-03-12 10:20:00 UTC

Which Would You Recommend To Your Boss, OWASP Zap or PortSwigger Burp?

One of the most popular comparisons on IT Central Station is OWASP Zap vs PortSwigger Burp?


Which of these two solutions would you recommend for Application Security Testing and why?



44 Answers
author avatar
Top 5Real User

Both have very powerful abilities. ZAP can be an advantage for free, but Burp's free version will work similarly. As someone who uses both, depending on the circumstances, one can be preferred to the other.

2018-03-15 05:49:42 UTC
author avatar
Top 20Real User

I’ll have to ask my community. I have had just passing experience with PortSwaggler and I know OWASP has a list of website security best dev
practices to avoid Xsite scripting and other vulnerabilities.

MicroFocus just did a demo with me on their product Fortify. It runs static and dynamic code analysis using OWASP recommendations, in about 16
programming languages, including VBScript. They do not have integration with ALM yet.

2018-03-15 12:40:18 UTC
author avatar

We use Rapid 7 for our dynamic testing. I do not have experience with the two below even though I went to a talk on Zap week ago and the person did warn this was not a tool to be using on production system since it would be putting some data in the database as part of its attacks so needed to be done in a test environment.

2018-03-14 19:27:02 UTC
author avatar

I wasn’t aware of OWASP ZAP and we are using PortSwigger Burp in our software development company, so I would recommend Burp, but I’m already downloading OWAPS ZAP and will evaluate it to see the advantages/disadvantages.

2018-03-14 13:34:33 UTC
Find out what your peers are saying about OWASP Zap vs. PortSwigger Burp and other solutions. Updated: March 2020.
405,659 professionals have used our research since 2012.