OWASP Zap Reviews

We primarily use this product for web application scanning.

The interface is easy to use.

The documentation needs to be improved because I had to learn everything from watching YouTube videos.

I have been working with OWASP Zap for about three months.

I have not experienced any trouble in terms of stability.

Scalability has not been an issue, so far. There are four of us in the company that can log in to use it.

I have not been in contact with technical support.

The initial setup was straightforward. For me, I just had to press "Next" several times. Between the installation, downloading videos, and investigating how to deploy it, I would say that the process took roughly a day.

I did not require third-party assistance for the deployment.

This solution is providing us with value and as long as it continues to do so, we'll continue to use it.

This is an open-source solution and can be used free of charge.

This is a good product where most of the functionality is free, which is why I recommend that others use it.

I would rate this solution a seven out of ten.

I'm a business analyst and we're a customer of OWASP Zap. 

The valuable features are that it's very simple to use and the user interface is very good, particularly for beginners so they can start the application easily. It's enough to refer to an online tutorial to be able to start using this application. It's not very complex.

I'd like to be able to explore more and improvements could be made in that area because for now I'm only able to explore the manual testing feature. I'd also like to see an improvement in test reports because we get too many false positives. 

I've been using this solution for the past few months. 

The stability is okay although we get many false positives when pulling out test reports. 

The scalability is very good. 

I haven't needed technical support to date and I haven't yet started using the community support.  

The initial setup wasn't very complex. You're supposed to install a JDK, Java file. I think implementation took about an hour. There are seven people in the company using the solution and maybe in the coming days there will be more. 

I would definitely recommend this product provided the company can provide more clarity on the false positives that we get. 

I would rate this solution a seven out of 10. 

Our primary use case is for scanning. We have Bamboo, Nexus and Artifactory and we are able to make snapshots. When we get a pull request we're able to make another snapshot and we compare the two snapshots together and can see what is new in the pull request. We can see which libraries are there and that enables us to see the vulnerabilities. I'm an embedded software engineer.

I would say that the automatic update is a very valuable feature because we are able to update our internal data base. The pull request analysis is also very good.

The product is somewhat complicated and could be improved by simplifying it because you don't want to have to allocate one person to maintain the solution full time. We'd like to be able to deploy it and have it work. Ideally we'd like to be able to get a pull request analysis and the analysis of repositories. 

I think they could definitely work on a more simplified deployment. That would improve the product. The issues are not necessarily related to the solution but possibly connected to how it was initially set up. 

We've been using this solution for three or four years. 

Regarding stability, we have some issues in our product and we need to work on it. Something is wrong in the architecture, perhaps it's a bug. 

The initial setup was done before I came to the company. There are five people on our security team who discuss maintenance issues and try to solve problems. 

I would recommend this product to people although I think it is very difficult to deploy and we also have issues with maintenance.

I would rate this solution a six out of 10 in our environment. I don't think deployment was done very well in our company and that has affected the quality of the product. Perhaps if things had been done differently I would rate it an eight out of 10. 

We only tried out the demo to see what the solution offers and how it performs overall business scanning. They also offer open-source projects.

There is definitely room for improvement. I prefer Burp Suite to OWASP Zap because of the extensive coverage it offers. I also think it should have an open-source tool. I would also love to see an improvement in visibility.

The OWASP Zap solution was very stable during the few days we used it.

The scalability of this product is very good.

I will rate this product a seven out of ten, because I think the visibility needs to be improved, and the support person needs to do a better job. What's more, additional features, like domain support or different authentication support also needs to be improved.

The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information.

I'm still in the process of exploring.

I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help.

I would rate this solution as 7 out of 10, as I am still in the process of exploring. So far I think it's fine, but I think I still need to explore it a bit further and try to do a more comparative analysis.

We primarily use this application for web application spidering and vulnerability assessment.

The most valuable feature is the spidering because, being a security person, it is very important for me to know each and every section of that application, so we cannot afford to miss any single web page or any single link on a particular website. The spidering mechanism is very good.

The automatic scans need improvement. The automated vulnerability assessments that the application performs needs to be simplified as well as diversified.

The solution is very stable. Presently there are only around three people including me using this particular solution. I really don't think we would be needing anything more than these as of right now.

I would say that scalability doesn't apply to this particular application. 

Presently there is only community support available, and we are able to solve a lot of problems using the documentation with community support.

Yes, we actually use a couple of different products but there is one specifically that we use, which is the Burp Suite.

The initial setup was very straightforward.

This app is completely free and open source. So there is no question about any pricing.

I would recommend that you should go through the documentation really well. That's it.

I would rate this product 8 out of 10.

I focus on software application security. In most of the scenarios that we come across, the customers want complete assurance on security of their platforms/products/applications. Clients reach out to us for our abilities to unearth security issues.

I get to use these tools to assess products/platforms before they go live to the market.

We recently ran into an issue where we had to test the OAuth token validation, where the REST API calls had OAuth token change every time a request was being sent. Somebody from the support community had contributed a sample code to accomplish this. In terms of the community support that is available, OWASP Zap has great set of features to use.

The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool and at the same time give a comprehensive report with great confidence to the client for helping them in their go-live decision. In terms of technical supremacy, I would put PortSwigger's Burp Suite ahead in terms of the ease with which I can retry the request with different combinations or conduct different attacks.

OWASP Zap has the award for best token authentication. A lot of applications are getting into this space where there are token barriers. Moreover ZAP Proxy security scans are excellent providing a comprehensive coverage.

One area where the tool can be improved is specifically,  if there's some more intelligence that can be added on to the reporting feature, it would be great. 

There's some element of intelligence that can be built into it as to how reports can be generated. Currently, there are only a few ways, i.e. a couple of templates with which you can generate these reports. If there are additional templates that could be put in place, the reports would come out very well, and we'd be able to edit it along reading the report.

That could be good for us to make it through. Because that is an area that we've seen typically, where it's common in the other tools. We run the test. We run the scans. We do the vulnerability assessment, analyze their impacts and then we generate the report.

There's the element of documentation that we need to create along with that. If there is a provision to enter inputs like below as part of report generation:

• Project information
• Client name
• Organization name
• Platform against which this test has been done
  

If these small inputs can be handled, at the end of the report, I would have a customized report which I could easily give across to the customer.

Today it's this is something not easily available in not at that level in the tool. In the reporting presentation format, Acunetix tool has a much better "look and feel" appearance. The clients love it when we do it in that.

The only place that I faced issues with the OWASP was testing for a large broadcasting company. The number of requests that come forward is quite large. When the requests are quite huge, we found that ZAP Proxy tool tends to be a little more slow to respond. We're not sure whether it's progressing at the background or whether the application is frozen. We have faced the encounter when we are sending in large payloads, i.e. the multiple requests pull through defensive issues there.Other than that we have not seen significant issue with the tool.

Currently, we have three of us who have been using the OWASP Zap proxy tool. There are times when we even propose this ZAP proxy tool to customers. Sometimes, we get requests from clients who want us to use a specific solution like Acunetix, BurpSuite. 

For the choice of which tool to use in the long run, the decision is driven by the customers. When customers ask us for a tool recommendation, we do a security tool comparison analysis, and make a recommendation that best suits them, explaining the pros and cons of each tools. i.e when you use a solution like OWASP Zap versus going on with a tool like Burp Suite or Acunetix. 

For OWASP, I've been only looking at their community, but I felt that PortSwigger has much better tech support. In terms of community support, OWASP Zap is very much there.

For example, we expected PortSwigger to have OAuth token to be available by default, but that was not on their product road map. Fortunately for us, we had somebody from the community who had created several extensions which were a great help to us.

In terms of product support, I would say, Port Swigger support has been very good. 

The initial setup of OWASP Zap was straightforward. That's not an issue at all with OWASP.

As far as pricing concerns, for value in the commercial solutions when it comes to security testing tools, it is Burp Suite. Some Burp Suite licenses are available for $300 over a 1-year term, which is pocket-friendly for us. We feel that PortSwigger Burp Suite is the best value for the money that we get. When it comes to clients looking for non-commerical licenses, OWASP Zap tool is the best fit.

When people are trying to make use of OWASP Zap, I would advise first read through and understand the OWASP vulnerabilities very well. Then start looking at features, tutorials of the OWASP ZAP Proxy that are made available online.

There are a lot of YouTube videos, articles in the internet that talk about how to use the tools. These are quite easy to understand. Do a small POC. Pick an application which is already having vulnerabilities and assess the application around with the ZAP Proxy tool.

In terms of ZAP Proxy tool ease of use, I would rate it nine out of ten. 

Our primary use case of this solution is to scan and check that the applications we put on the internet are safe and secure.

This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we are doing large deployments, we might get a professional security partner in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes the process easier and safer.

Automatic scanning after a manual walkthrough is the most valuable feature. 

I would like for them to make it easier to understand exactly what has been checked and what has not been checked. We have to trust that it has checked all known vulnerabilities on all parts of the webapp, but it's a bit hard to see that after scanning. 

I would also like for them to develop graphical reports on the scan. Based on the log, some graphical drawing could show what part of the site has been tested. I would like to see that it has tested everything that we wanted to test.

Good.

In terms of scalability, I only tried it on small applications, so I don't know, but it seems very quick. We have plans to increase usage and to also support APIs and not just the applications. All applications that will be exposed to the internet are scanned. The ones that are used internally, in the organization, are not scanned at this point in time.

I never had to reach out to their technical support. The internet forums are great. There's so much open information on the internet so you don't really need much else. 

We tried PortSwigger Burp suite, but only briefly. We have also used IBM AppScan for a while.

The initial setup was straightforward. We didn't have to do much. There was an easy to follow guide online and there was not much to do other than to follow a straightforward tutorial. Deployment took around an hour. 

I implemented it myself. 

It's free. It's good for us because we don't know what the extent of our use will be yet. It's good to start with something free and easy to use.

We ran IBM Appscan for a year, but it was expensive and did not deliver more value. Veracode was pretty much the same and cost the same. We then also looked at PortSwigger Burp Suite Pro, which is at a better price point and a very good expert tool. Though at this point in time, given our needs, it does not seem to give us any advantage over ZAP. Also, the forums and the internet community is excellent on ZAP and it's free.

I would advise someone considering this solution to try and read about it on internet forums and see if it fits your needs.

I would rate this solution an eight out of ten. It does what it says it will do and it's not hard to set up. It is also easy to use both automatically and manually and has a plug-in into every major build-tool, like Jenkins , Gitlab and others. You can automate it through a building process.