OWASP Zap Reviews

We use the solution for scanning pipelines.

It is a good solution. We get good feedback about the product from our clients. The product helps users to scan and fix vulnerabilities in the pipeline.

The technical support team must be proactive. The team must advise users about the available features, how to find them, and how to use them better.

We have been using the solution for a customer for six to eight months.

We have not experienced any challenges in the tool's maintenance, availability, and stability.

The scalability could be better. I rate the tool’s scalability a seven out of ten. Our customers are medium-sized businesses.

The technical support is very good. We had some issues during installation. We reached out to the support team and got it clarified immediately. We have reached out to the support team only once. If we continue getting good support from the team, I might rate support a nine or ten out of ten in the future. For now, I rate it an eight out of ten.

Positive

The installation and integration are easy. It's not challenging. The implementation was done in different phases. Our customers took a few days to install the solution. They needed two engineers to install it. We do not have any problem in maintaining the tool. It is deployed on the cloud.

I would recommend the solution to my clients since it is a proven product. We have no issues with stability, scalability, and technical support. Overall, I rate the product an eight out of ten.

I use the solution to follow the framework and help my developers develop apps securely from the ground up with the right practices in mind. As part of the DevOps process, we use the tool to scan and see if the web apps are vulnerable. We integrated the tool into our development life cycle for security testing in our DevOps pipeline. We use the tool to spider and test the website.

The solution helped identify attacks like Cross-site Scripting and SQL Injection. We can perform general health checks to see if the site is secure. If there are problems, they get fixed by the developers before they get to production.

The ZAP scan and code crawler are valuable features. It is automated in the DevOps pipeline. The scans are run automatically if a new project is set up and merged into the development branch. It makes our detection process easier. There are long-term benefits because we are not fixing it after we've developed. We are fixing it while we develop.

Sometimes, we get some false positives. The developers understand the context and usually tell me if it's a false positive and why. The reporting was bad in the past, but it has improved. It would be nice if we could have the report output in PDF. The product could automate the reports to email.

I have been using the solution for a couple of years.

We have never had issues or downtime.

The tool’s scalability is fine for the way we use it. It would be helpful if the tool had a scalable package to deploy and scale out when we had more websites to scan. The vendor must provide a SaaS solution. It could be like a private and externally hosted firewall that we could just subscribe to and run scans.

The product is deployed on the cloud. The on-premise system is easy. We can use the container system. The DevOps pipeline is the easiest. The deployment took about eight hours.

The tool is open source.

I've always used other solutions, which always contain the OWASP open-source tool behind the scenes. We can't compare OWASP Zap with anything else. The solution has an active community. The vendor keeps improving the OWASP framework often. There's no reason for me to deviate from it. OWASP is used widely in web application firewalls as the rule engine.

I will recommend the product to others. Everyone must use the tool. Overall, I rate the solution a nine out of ten.

We use ZAP for penetration testing. 

ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube.

ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline. 

We have used ZAP for more than six months.

ZAP is stable. 

I rate ZAP support seven out of 10. It's good. 

Neutral

Deploying ZAP is straightforward. It took me and one other person three or four days to install and configure ZAP. 

We use the community version. 

We did a POC for a tool by NetSuite, but that was a paid tool. 

I rate OWASP ZAP seven out of 10. It's an excellent penetration testing tool for developers. That scanning part is solid, but the integration with AWS and Azure pipelines could be better. 

I primarily use the solution for different use cases. It's good for analysis. It also offers additional extensions you can take advantage of. There are different scan extensions you can leverage. 

It helps that we can use it hand in hand with Portswigger Burp. Since each have scanning capabilities, we can use them together and leverage whichever has the better scanning extension, depending on what we need. 

We like the functionality.

It's great that we can use it with Portswigger Burp.

There is a good community surrounding the solution. 

The initial setup is easy.

It's stable and reliable.

The solution can scale.

We'd like the solution to continue to add more extensions. 

They stopped their support for a short period. They've recently started to come back again. In the early days, support was much better. It's not as good as it was. 

I've used the solution since 2013. I've used it for quite some time. 

It is pretty stable. There are no bugs or glitches. It doesn't crash or freeze. It is reliable. 

The solution is pretty scalable. It's easy to extend as needed. 

Technical support used to be very good. Then they stopped. Now, they are coming back. However, they are behind in support services. 

I've also used Portswigger Burp. I can use both at the same time and use extensions to leverage them together. 

The setup is simple and straightforward, depending on your level of knowledge. Portswigger Burp may be a bit easier. However, both are straightforward. This is not complex to implement. It also doesn't take long to deploy.

If you can download it in five minutes, you can have it set up in seven minutes. 

This solution is open-source and free to use. 

I am using the latest version. I usually download the latest version and then use it.

Users need to read the documentation before starting. Users need to educate themselves before they start.

I'd rate the solution seven out of ten. 

I primarily use OWASP Zap for DevSecOps within the pipeline. It's mainly integrated via a YAML file into GitHub actions. In addition to that, I use it for external tests like web crawling and web application penetration tests.

OWASP Zap's add-on feature to customize wordlists is very useful for tasks like brute forcing credentials and other test cases. Additionally, the reporting feature is effective as it provides remediation suggestions and allows for flagging false positives, which helps in reducing noise in the reports.

OWASP Zap could benefit from a noise cancellation feature like that of Burp Suite Professional, where AI helps reduce certain non-critical findings. Additionally, a cloud version of the tool could enhance scalability and resource management, especially for larger tests that consume more local resources.

I have been working with OWASP Zap for four or five years.

I have not faced any stability issues with OWASP Zap. The stability is largely dependent on the available computing resources.

OWASP Zap's scalability is impressive, but it depends on the available computing resources. With sufficient resources, it operates efficiently.

OWASP Zap has community support available, but I have never used it because I've never needed it.

Positive

The initial setup of OWASP Zap is quite easy and not challenging at all. I would rate it ten out of ten in terms of ease.

OWASP Zap is straightforward to use. If someone doesn't have the budget for tools like Burp Suite, OWASP Zap is an excellent alternative. I rate it nine out of ten.

We use the product to ensure that our source code is safe enough and has no vulnerabilities before delivering a new release for our AML product. We also used the product for dynamic testing to test applications as a black box.

The report design is very useful. The explanation is very clear. It also provides additional solutions and plugins. The product discovers more vulnerabilities compared to other tools. It might have additional plugins and features for testing.

The product should allow users to customize the report based on their needs. For example, suppose the user needs to test only the vulnerability of SQL injection and not any other category or vulnerabilities. In that case, it's better to provide end users with a way to choose the subject they want to audit and the severity of the vulnerability. 

If I need to figure out only the critical or the high severity, I shouldn’t have to figure out the low severity vulnerabilities or the smell codes. These services could be helpful for the end user and save time whenever we need to generate a new report. The execution time is a little bit exaggerated. This process can optimize the report’s performance.

I have been using the solution for two to three months.

The solution is very stable. I rate the solution’s stability a nine out of ten.

Two resources from our security team work on generating and implementing reports. However, many other developers use the product to fix vulnerabilities and penetrate or audit the whole source code for products. The owner of the product and the developers are involved in the correction and the long-term plan to cover or close the vulnerability.

I rate the ease of setup an eight out of ten.

The installation is quick. It can be done in a couple of hours.

The solution’s pricing is high. I rate the pricing a nine or ten out of ten. There is an indirect cost on the resources and specs needed to deploy or implement the product. When we run the report, it consumes a lot of du from the servers.

We use SonarQube for penetration testing. We are most likely to have hybrid solutions. However, the deployment model depends on our clients, the data, and the type of product we will deploy. I didn't use automatic scalability for our deliveries and deployment. 

The solution is worth using. We've used many tools and discovered that OWASP detects multiple high vulnerabilities, which the other tools do not detect. Overall, I rate the product an eight out of ten.

I focus on software application security. In most of the scenarios that we come across, the customers want complete assurance on security of their platforms/products/applications. Clients reach out to us for our abilities to unearth security issues.

I get to use these tools to assess products/platforms before they go live to the market.

We recently ran into an issue where we had to test the OAuth token validation, where the REST API calls had OAuth token change every time a request was being sent. Somebody from the support community had contributed a sample code to accomplish this. In terms of the community support that is available, OWASP Zap has great set of features to use.

The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool and at the same time give a comprehensive report with great confidence to the client for helping them in their go-live decision. In terms of technical supremacy, I would put PortSwigger's Burp Suite ahead in terms of the ease with which I can retry the request with different combinations or conduct different attacks.

OWASP Zap has the award for best token authentication. A lot of applications are getting into this space where there are token barriers. Moreover ZAP Proxy security scans are excellent providing a comprehensive coverage.

One area where the tool can be improved is specifically,  if there's some more intelligence that can be added on to the reporting feature, it would be great. 

There's some element of intelligence that can be built into it as to how reports can be generated. Currently, there are only a few ways, i.e. a couple of templates with which you can generate these reports. If there are additional templates that could be put in place, the reports would come out very well, and we'd be able to edit it along reading the report.

That could be good for us to make it through. Because that is an area that we've seen typically, where it's common in the other tools. We run the test. We run the scans. We do the vulnerability assessment, analyze their impacts and then we generate the report.

There's the element of documentation that we need to create along with that. If there is a provision to enter inputs like below as part of report generation:

• Project information
• Client name
• Organization name
• Platform against which this test has been done
  

If these small inputs can be handled, at the end of the report, I would have a customized report which I could easily give across to the customer.

Today it's this is something not easily available in not at that level in the tool. In the reporting presentation format, Acunetix tool has a much better "look and feel" appearance. The clients love it when we do it in that.

The only place that I faced issues with the OWASP was testing for a large broadcasting company. The number of requests that come forward is quite large. When the requests are quite huge, we found that ZAP Proxy tool tends to be a little more slow to respond. We're not sure whether it's progressing at the background or whether the application is frozen. We have faced the encounter when we are sending in large payloads, i.e. the multiple requests pull through defensive issues there.Other than that we have not seen significant issue with the tool.

Currently, we have three of us who have been using the OWASP Zap proxy tool. There are times when we even propose this ZAP proxy tool to customers. Sometimes, we get requests from clients who want us to use a specific solution like Acunetix, BurpSuite. 

For the choice of which tool to use in the long run, the decision is driven by the customers. When customers ask us for a tool recommendation, we do a security tool comparison analysis, and make a recommendation that best suits them, explaining the pros and cons of each tools. i.e when you use a solution like OWASP Zap versus going on with a tool like Burp Suite or Acunetix. 

For OWASP, I've been only looking at their community, but I felt that PortSwigger has much better tech support. In terms of community support, OWASP Zap is very much there.

For example, we expected PortSwigger to have OAuth token to be available by default, but that was not on their product road map. Fortunately for us, we had somebody from the community who had created several extensions which were a great help to us.

In terms of product support, I would say, Port Swigger support has been very good. 

The initial setup of OWASP Zap was straightforward. That's not an issue at all with OWASP.

As far as pricing concerns, for value in the commercial solutions when it comes to security testing tools, it is Burp Suite. Some Burp Suite licenses are available for $300 over a 1-year term, which is pocket-friendly for us. We feel that PortSwigger Burp Suite is the best value for the money that we get. When it comes to clients looking for non-commerical licenses, OWASP Zap tool is the best fit.

When people are trying to make use of OWASP Zap, I would advise first read through and understand the OWASP vulnerabilities very well. Then start looking at features, tutorials of the OWASP ZAP Proxy that are made available online.

There are a lot of YouTube videos, articles in the internet that talk about how to use the tools. These are quite easy to understand. Do a small POC. Pick an application which is already having vulnerabilities and assess the application around with the ZAP Proxy tool.

In terms of ZAP Proxy tool ease of use, I would rate it nine out of ten. 

OWASP Zap is used for dynamic testing. So when any kind of application, like, a web application, needs to be tested for its security and vulnerabilities. It is also used to crawl the site and then to enumerate all the input or the possible exploitation points, and then we try to exploit any blockings within OWASP Zap.

It improved our company's functioning because it integrates and can automate most of our workflow, so it helps. Based on its automation abilities, I rate it a seven out of ten. But there are many things that I have to do manually for safety and better clarification.

I think the automation feature is the one I used the most in the tool. For the crawling and enumeration one and the feature, we can manipulate the insides of the response. So, we can manipulate web responses and use them to test a certain website's security.

Since it is a community-based tool, I am unsure if OWASP Zap is quite up to date with recent weaknesses currently exploitable in work. So, sometimes we have to add to do it manually. How to differentiate between the false positive and the true findings need improvement. In general, the shortcomings in the accuracy of the findings need to be improved.

The automation process can help us perform website attacks using the latest exploit techniques and procedures, often used in reverse scenarios. Although other commercial solutions have this feature, I hope OWASP Zap can catch up and offer similar capabilities.

I have been using the solution for four or five years. We got the information from the community that it is open-source software, so we are using it as part of the community. We are using the open-source version. It is not difficult to upgrade to the latest version.

Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high. I never found the applications crashing.

Scalability-wise, I rate the solution a five out of ten.

The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time. Five users who are IT security engineers in my company use the tool. I plan to increase the usage of the tool in the future.

Since it's a community-based tool, I rate the solution's technical support as less than five. It's community support. We do not have technical support, so we have to manually read the documentation and check the community forums.

Neutral

I rate the initial setup a ten out of ten since it is easy. The server is easily deployed because it's an open-source and free solution. I think it's very easy to install on every computer authorized to use it.

I am still currently using Burp Suite, which is free.

I can recommend others to use the solution for a quick and easy introduction to dynamic testing. But for the more advanced solution and for users like myself who understand the application suite itself for others and any organization to use the commercial solution as a proxy. I rate the overall solution a seven out of ten.