OWASP Zap Reviews

We use it for our security scanning for our applications. 

The application scanning feature is the most valuable feature. 

The reporting feature could be more descriptive.

I have been using OWASP Zap for four years. 

It is a stable solution. 

Presently seven people use this solution. It is scalable. 

The initial setup is straightforward. 

It's open source.

Overall, i would rate the solution a seven out of ten. 

I use this solution for penetration tests.

It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).

It comes up in your browser and you have control of the program while you are on the website, in your browser. Everything that you can do in the program, you can do from your browser on the fly. It is similar to a targeted attack. You can see what you are doing.

It's a Java program installed on your computer.

The forced browse has been incorporated into the program and it is resource-intensive.

It was a copied program named DIR Buster Doorbuster. It needs to be improved, it's too resource-hungry.

I found another program that is written in the Go language and it does the same thing, but it is much faster and more efficient. It will crash those proxy programs within Zap if you do more than one, it will take forever.

It needs to be rewritten, maybe not in Java.

I have used OWASP quite a bit. I have dealt with this solution for quite a few years. My usage has not been constant, but it has been quite a while.

We are dealing with the most recent version.

It creates a database of all the URLs and it can get a little overwhelming. 

With a large website, you have a lot of URLs, it gets a bit sluggish when loading and saving it, but it really works quite well. It goes in and out of it and goes too slow. It takes a little while to save all of that data.

It's a scalable product but its' slow.

I have not contacted technical support.

It has a very good forum on the website. The users help each other. It's helpful and resourceful.

I have used several solutions, such as Nessus, WebInspect, and Retina. The retina is a network scanner but OWASP is the best.

It's quick to set up. You can install it in different ways. I run it on Linux, Debian and I have run it on Windows as well.

OWASP Zap is free.

I was making a comparison between OWASP and Acunetix to see what the differences were.

I used to work with Homeland security back 10, 15 years ago, in the national cybersecurity division starting up right after 9/11.

I was on that national cybersecurity team. One of the things they looked into was funding using government money to fund some of these security operations or projects. They decided, and I helped decide, that it would be right for the government to support open-source systems or products because they're not making money out of that market.

One of the people in the government got involved and helped to get it started. I don't know if they still have a list on their website of donors or contributors, but you can look on that list pretty easily and see if Homeland security is still supporting them.

I assume it is because it's really well run. It's constantly evolving new versions coming out with new features. It's very well managed and the lead person on it is very sharp. You can go on YouTube and search for a proxy and you will see some deep-dive tutorials. He did a really good job.

There is a lot to this solution. You can use it superficially, but you need to spend a lot of time learning it. It has a lot of options and a lot of angles.

I would rate OWASP Zap a nine out of ten.

The solution has certain models. It allows the creation of a pipeline in respect of the interface or of certain content. It enables one to check that the security is as it should be. 

The solution enables a person to add the certificate and check the queries, to see if there are any that are undefined. This way, a person can have a list of the types of queries and can trace them. 

The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed. 

We have been using OWASP Zap for more than four years. 

The computers perform somewhat slowly when loading a large number of queries into memory. As such, I don't know if it will be possible to use cache on the disk, which would greatly increase performance. 

The solution is scalable. It can be run simultaneously for different targets. 

I have not had experience with using technical support. I make use of a public community on the public website.

The initial setup is a bit complex, not straightforward. It could be made easy if, lets say, a project can be defined for a certain task through the project's creation. This may simplify its use. 

Zap is a very good startup. There is an alternate solution that is a bit more expensive and requires more technical knowledge than OWASP Zap, although both have a model based configuration. The interface allows one to run predefined templates, something OWASP Zap has in common with the other solution. The automation capabilities are similar, as well. 

I used the source code design for the deployment.

I have not had experience with the code crawler, OSWAP Zap code analysis. The solution I was using is run by a search engine. My clients utilize OWASP Zap AST. They do not make use of the code crawler. 

I rate OWASP Zap as a six out of ten. 

We are using this product at a very basic level to scan reports and then share them with the Dev team for any vulnerabilities. We use the open source version and we are end users. 

The solution has improved company functioning to a certain extent, but it takes a lot of time coordinating with the Dev team because we are using the open source version and not the enterprise version. It's not an awesome solution but we do get the reports we need and there is a good amount of documentation and support. 

The automatic scanning is a valuable feature and very easy. The major advantage to this solution is the privacy it offers. We are able to achieve our objectives to some extent, but only for non-business critical applications.

The reporting format could be improved. There is no output, it's cluttered and it's a very, very long report. It would be better if it were in PDF format with a short description, some findings, color coding, and easy to read. What we do now is analyze the HTML report and then rewrite our own shorter reports. I work for a Japanese company and they want the important information to show up. The reports do not really give us recommendations or the points where the vulnerability is coming from so I'd really like to see an improvement in the condition of reports. We should be able to call an API from somewhere and scan applications.

I've been using this solution for about one year. 

The product is not that stable and sometimes I have to re-install it and contact the internal IT team. I don't have the admin rights on the laptop. Some features can break down, for example, the browser on the scanning might not open. Slowly our team will be moving towards more critical projects coming from the U.S., Japan and India, so we are definitely planning to upscale. In the next financial year, we're planning to upscale and make it more rigorous.

We are using the open source version so we have no technical support for now.

The installation is very simple. It's just an executable file because for now, we are not using it as a part of CACD or anything else. We have just installed the open source version on the laptop which has simplified things; our toolbox opens up and we just give the URL and it does an automatic scan. So information wise and operational wise, it is easy now. Our team carried out the deployment by first reading, watching videos and taking various courses. We had help from the company security team.

I carried out an evaluation between Checkmarx and OWASP Zap.

If you are working in a very big gaming company and you have the budget, then I'd suggest switching to the enterprise version because the open source version takes time to resolve the regulations and there are sometimes false positives. It takes a lot of effort to figure out how to resolve the vulnerability and then search the same thing in the code. If you're not from the development team, then a lot of coordination is required. Without any support, we are in a black hole sometimes. Some attacks can be very dangerous for the company and for the application. They create delays and I've had to learn how to deal with that. 

I rate this solution a six out of 10.

Currently, we build our products for the banking industry and use this solution in that process.

From a development cycle, we update the SQL injections that basically shows what a developer may have to address. Then, if there is still a problem, we're concerned at the architect level. That's at least initially reported by the customers when they do another round of review after we deliver our code. 

The solution is good at reporting the vulnerabilities of the application. 

It can help us with security, SQL injection vulnerability, known vulnerabilities, et cetera. Any kind of a threat that we get in the development cycle, is what we will look for. This solution helps us find them.

I can't recall any features that are lacking. In my role as a service provider, I only go up to standards defined by somebody else. So far, this solution has met their standards.

So far I've not come across a scenario where we had to do anything that's a major rework due to the fact that we didn't catch something soon enough in the queries that we are using.

It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful.

Right now, I can't give it off to a team and expect them to give me a report that I'm happy with. I will give it to a team and they will have to have another person sit with them to make sure they have configured it right. Some kind of pre-designed templates, pre-designed guidelines, or patterns to compliment the tool would go a long way in helping us use the solution.

I've been using the solution for five or six years at this point.

From the perspective of the development cycle that we use, we find it stable enough. I don't use it in production or I don't have to update sites running all the time. Once a week when I will build a VM pack, I push into another environment, and that's probably the time I would make it. For me, I find it to be stable enough.

I haven't really used technical support. Therefore, I can't really speak to their level of responsiveness or knowledgeability.

I'm not a security specialist, however, to be clear, we provide services. On a development project, we frequently run into various solutions. It's not just OWASP. It could be Veracode, for example, or multiple other tools. 

The initial setup is not necessarily straightforward. Most are complex. You need a senior person to specialize, understand the set up in which they are running, and understand the tools they are going to use. You need to ask: do they know what to look for and support? I wouldn't say it's complex to use. That said, normally the resources are costly.

In security, you'd expect the product is priced at a premium, so people don't check the pricing for the most part. In my case, I don't buy the product myself. I have the customers buy it for me. I'm not very worried about the price as a consultant.

We are an IT service provider, which means that we use a variety of tools based on what our customer preferences are. 

There's all, at most, I would say, about 20 companies that we would have the funds to use the solution with. OWASP is definitely in the top three as a tool that we would probably recommend to our team, as a frequent users' tool, however, I don't believe we have any kind of a formal relationship with the company. 

Multiple teams use it. I have not heard of anybody complaining about anything to do with this particular solution. I would say it's pretty good. I would give it a rating of eight out of ten.

Zap collects all the AJAX and Ambelo GS links. It pages in everything from a target. I'm a security consultant and we are customers of Zap. 

Zap is an open-source and sophisticated product. It not only saves us money but also provides us with a good amount of information. In terms of testing and attack simulations, it's pretty good. It updates its repositories and libraries pretty quickly. 

The disadvantage of Zap is that we're unable to customize reports as it only has a single standard format. The default PDF template has no proper customizations, dashboards, or any sort of widgets that we can maintain. There's a single dashboard and only one type of report that it provides.

The solution is stable. 

We haven't had any scalability challenges. 

The installation was relatively easy as is maintenance. 

Whether this is a good solution depends on the use case. If an organization is looking for a professional license without putting down any money, this is one of the best solutions.  

I would rate this solution more highly if we were able to customize reports. For now, I rate this solution eight out of 10.

We use OWASP Zap for web application security scanning.

They offer free access to some other tools.

Zap could improve by providing better reports for security and recommendations for the vulnerabilities. Additionally, they should allow more testing other than web applications, such as on the cloud and VMs.

I have been using OWASP Zap for approximately three months.

I have used other solutions, such as AngularJS.

The installation is straightforward.

This solution is open source and free.

I have been evaluating Armor for my teammates who are using ZAP. I have found that Armor is better than ZAP and we are looking to switch solutions.

I rate OWASP Zap a six out of ten.

Currently, we deploy these tools to serve in a few of our services in the organization.

The solution is very easy to use.

The initial setup is straightforward.

The solution is free due to the fact that it is open-source.

The stability of the solution is very good.

The product has a strong community surrounding it to help with issues and troubleshooting.

The technical support could be improved. It doesn't offer traditional technical support at all.

It would be a great improvement if they could include a marketplace to add extra features to the tool. It would make it more customizable and allow users to add more features as they like.

I've been using the solution for a while. I've used it at least over the last 12 months.

The stability of the solution s very good. We've never had any issues. It's been reliable. There are no bugs or glitches. It doesn't crash or freeze.

While the solution can scale to a certain extent, it cannot scale a lot. This is not one of the strengths of the product.

We only have one user that is engaged with the solution currently.

OWASP is an open-source solution. There's a big community surrounding it, however, it does not have traditional technical support. The main support comes from the community itself. If you have questions, you can find them there, or ask the community for feedback.

We previously used the PortSwigger Burp Suite. It's a commercial version with support. We had to pay for the solution on a yearly basis, whereas OWASP is open-source and free.

We found the initial setup to be very straightforward. It's easy. It's not complex. A company shouldn't have any issues with the implementation process.

The deployment only took half an hour. It wasn't more than that. The process is pretty fast.

YOu do not need a big team to handle the deployment process. We only used two.

We deployed the solution ourselves using an in-house team. We didn't need the assistance of consultants or integrators from outside firms.

The solution is open-source. It doesn't cost anything to use it.

We are a customer and end-user of the product.

There's lots of information online for users who are curious to learn more about the product.

In general, I would rate this solution at an eight out of ten. We've been largely satisfied with the product overall.