OWASP Zap Reviews

It's running on my system. I use it to scan URLs and can check things if I find something. 

There's a way to set up jobs where you can get it to run all the processes against the target to avoid doing so manually. You can run it against multiple targets. 

It is easy to set up.

The solution is stable. 

I don't have any notes for improvements.

It should have more visibility. Everybody defaults to Burp. However, this is a free version that deserves more visibility.

There isn't too much information about it online. You need to self-teach in order to really learn how to use it. There isn't a lot of documentation available. 

It takes up a lot of memory and RAM. 

I've been using the solution for roughly six months. I've used it on and off. However, I really started using it constantly over the last six months. 

The solution is mostly stable. However, it requires a lot of RAM and memory. There are no bugs or glitches. 

It is not very scalable.

I'm the only security engineer. Only I use it in my company. 

I've never used technical support. I'm not sure how helpful or responsive they are. 

I used to use Portswigger Burp. This solution is free and has a lot of the paid versions Burp offers. I haven't used Burp Professional. I used the community version. I chose this solution as it is faster, at least compared to the community version. My understanding it the paid version of Burp is very fast.

The initial setup was very simple and straightforward. I didn't find any difficulty installing it on my system.

It takes about ten to 15 minutes to deploy. It depends on the machine you have. 

The solution is free to use. I don't pay any licensing fees. 

I'm an end-user. 

I'm not sure which version of the solution I'm using. 

I would rate the solution seven out of ten. While it is free to use, it does take up a lot of memory. I also find Burp easier to use than this product.

We use this product for vulnerability scanning and for testing. I'm an automation engineer. 

The HUD, Heads Up Display, is a good feature. It provides on-site testing and saves a lot of time.

We get too many false positives and that should definitely be improved. I'd like to see site scanning included in the solution because it can get into your hidden files and reports. 

I've been using this solution for one year. 

The solution is stable. 

The solution is not scalable. 

The initial setup is straightforward and was carried out in-house without assistance from a third party. 

It's worth exploring and learning the tool. It helps a lot to understand the vulnerabilities in the applications. I rate the solution eight out of 10. 

Zap collects all the AJAX and Ambelo GS links. It pages in everything from a target. I'm a security consultant and we are customers of Zap. 

Zap is an open-source and sophisticated product. It not only saves us money but also provides us with a good amount of information. In terms of testing and attack simulations, it's pretty good. It updates its repositories and libraries pretty quickly. 

The disadvantage of Zap is that we're unable to customize reports as it only has a single standard format. The default PDF template has no proper customizations, dashboards, or any sort of widgets that we can maintain. There's a single dashboard and only one type of report that it provides.

The solution is stable. 

We haven't had any scalability challenges. 

The installation was relatively easy as is maintenance. 

Whether this is a good solution depends on the use case. If an organization is looking for a professional license without putting down any money, this is one of the best solutions.  

I would rate this solution more highly if we were able to customize reports. For now, I rate this solution eight out of 10.

Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope.

The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more.

It should have more reporting options because the reporting options are currently only in HTML, XLS, and so on, but there is nothing in PDF or Word, which makes it a bit less user-friendly. It needs more comprehensive reporting. It already has a reporting system, but it is just not user-friendly.

I have been using this solution for roughly 12 months. I am using the latest freeware version that is available on the website.

Its stability is good. 

It lacks scalability. It is only good up to a limit.

Based on my interactions, they have been very good. They take around 24 hours to get back to you because they're a very large organization that is totally into this. They are quite good. They aren't the best, but they are quite good.

Its initial setup was straightforward. It was pretty much immediate. There was no deployment issue. It was done quickly.

It was implemented in-house. In terms of maintenance, it doesn't require much maintenance. You need just one person to follow the updates. That's about it.

We have used the freeware version. I believe Zap only has freeware.

My advice would be to not look at Zap as a one-stop-shop for all your results because Zap cannot do that. Zap is very good for a certain number of basic vulnerabilities or medium to high-level issues, but it can't go beyond that. You can use Zap along with another tool. If you're doing two or three levels of security testing, you can use Zap along with other tools.

It is more of a learner tool. So, if you're using Zap, it would be best if you use it as a beginner in the field. Once you get into projects or work for people on their applications, you'll definitely end up needing something stronger.

I would rate it a five out of ten.

The solution has certain models. It allows the creation of a pipeline in respect of the interface or of certain content. It enables one to check that the security is as it should be. 

The solution enables a person to add the certificate and check the queries, to see if there are any that are undefined. This way, a person can have a list of the types of queries and can trace them. 

The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed. 

We have been using OWASP Zap for more than four years. 

The computers perform somewhat slowly when loading a large number of queries into memory. As such, I don't know if it will be possible to use cache on the disk, which would greatly increase performance. 

The solution is scalable. It can be run simultaneously for different targets. 

I have not had experience with using technical support. I make use of a public community on the public website.

The initial setup is a bit complex, not straightforward. It could be made easy if, lets say, a project can be defined for a certain task through the project's creation. This may simplify its use. 

Zap is a very good startup. There is an alternate solution that is a bit more expensive and requires more technical knowledge than OWASP Zap, although both have a model based configuration. The interface allows one to run predefined templates, something OWASP Zap has in common with the other solution. The automation capabilities are similar, as well. 

I used the source code design for the deployment.

I have not had experience with the code crawler, OSWAP Zap code analysis. The solution I was using is run by a search engine. My clients utilize OWASP Zap AST. They do not make use of the code crawler. 

I rate OWASP Zap as a six out of ten. 

We are using this product at a very basic level to scan reports and then share them with the Dev team for any vulnerabilities. We use the open source version and we are end users. 

The solution has improved company functioning to a certain extent, but it takes a lot of time coordinating with the Dev team because we are using the open source version and not the enterprise version. It's not an awesome solution but we do get the reports we need and there is a good amount of documentation and support. 

The automatic scanning is a valuable feature and very easy. The major advantage to this solution is the privacy it offers. We are able to achieve our objectives to some extent, but only for non-business critical applications.

The reporting format could be improved. There is no output, it's cluttered and it's a very, very long report. It would be better if it were in PDF format with a short description, some findings, color coding, and easy to read. What we do now is analyze the HTML report and then rewrite our own shorter reports. I work for a Japanese company and they want the important information to show up. The reports do not really give us recommendations or the points where the vulnerability is coming from so I'd really like to see an improvement in the condition of reports. We should be able to call an API from somewhere and scan applications.

I've been using this solution for about one year. 

The product is not that stable and sometimes I have to re-install it and contact the internal IT team. I don't have the admin rights on the laptop. Some features can break down, for example, the browser on the scanning might not open. Slowly our team will be moving towards more critical projects coming from the U.S., Japan and India, so we are definitely planning to upscale. In the next financial year, we're planning to upscale and make it more rigorous.

We are using the open source version so we have no technical support for now.

The installation is very simple. It's just an executable file because for now, we are not using it as a part of CACD or anything else. We have just installed the open source version on the laptop which has simplified things; our toolbox opens up and we just give the URL and it does an automatic scan. So information wise and operational wise, it is easy now. Our team carried out the deployment by first reading, watching videos and taking various courses. We had help from the company security team.

I carried out an evaluation between Checkmarx and OWASP Zap.

If you are working in a very big gaming company and you have the budget, then I'd suggest switching to the enterprise version because the open source version takes time to resolve the regulations and there are sometimes false positives. It takes a lot of effort to figure out how to resolve the vulnerability and then search the same thing in the code. If you're not from the development team, then a lot of coordination is required. Without any support, we are in a black hole sometimes. Some attacks can be very dangerous for the company and for the application. They create delays and I've had to learn how to deal with that. 

I rate this solution a six out of 10.

Currently, we build our products for the banking industry and use this solution in that process.

From a development cycle, we update the SQL injections that basically shows what a developer may have to address. Then, if there is still a problem, we're concerned at the architect level. That's at least initially reported by the customers when they do another round of review after we deliver our code. 

The solution is good at reporting the vulnerabilities of the application. 

It can help us with security, SQL injection vulnerability, known vulnerabilities, et cetera. Any kind of a threat that we get in the development cycle, is what we will look for. This solution helps us find them.

I can't recall any features that are lacking. In my role as a service provider, I only go up to standards defined by somebody else. So far, this solution has met their standards.

So far I've not come across a scenario where we had to do anything that's a major rework due to the fact that we didn't catch something soon enough in the queries that we are using.

It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful.

Right now, I can't give it off to a team and expect them to give me a report that I'm happy with. I will give it to a team and they will have to have another person sit with them to make sure they have configured it right. Some kind of pre-designed templates, pre-designed guidelines, or patterns to compliment the tool would go a long way in helping us use the solution.

I've been using the solution for five or six years at this point.

From the perspective of the development cycle that we use, we find it stable enough. I don't use it in production or I don't have to update sites running all the time. Once a week when I will build a VM pack, I push into another environment, and that's probably the time I would make it. For me, I find it to be stable enough.

I haven't really used technical support. Therefore, I can't really speak to their level of responsiveness or knowledgeability.

I'm not a security specialist, however, to be clear, we provide services. On a development project, we frequently run into various solutions. It's not just OWASP. It could be Veracode, for example, or multiple other tools. 

The initial setup is not necessarily straightforward. Most are complex. You need a senior person to specialize, understand the set up in which they are running, and understand the tools they are going to use. You need to ask: do they know what to look for and support? I wouldn't say it's complex to use. That said, normally the resources are costly.

In security, you'd expect the product is priced at a premium, so people don't check the pricing for the most part. In my case, I don't buy the product myself. I have the customers buy it for me. I'm not very worried about the price as a consultant.

We are an IT service provider, which means that we use a variety of tools based on what our customer preferences are. 

There's all, at most, I would say, about 20 companies that we would have the funds to use the solution with. OWASP is definitely in the top three as a tool that we would probably recommend to our team, as a frequent users' tool, however, I don't believe we have any kind of a formal relationship with the company. 

Multiple teams use it. I have not heard of anybody complaining about anything to do with this particular solution. I would say it's pretty good. I would give it a rating of eight out of ten.

We use OWASP Zap for web application security scanning.

They offer free access to some other tools.

Zap could improve by providing better reports for security and recommendations for the vulnerabilities. Additionally, they should allow more testing other than web applications, such as on the cloud and VMs.

I have been using OWASP Zap for approximately three months.

I have used other solutions, such as AngularJS.

The installation is straightforward.

This solution is open source and free.

I have been evaluating Armor for my teammates who are using ZAP. I have found that Armor is better than ZAP and we are looking to switch solutions.

I rate OWASP Zap a six out of ten.