OWASP Zap Reviews

OWASP Zap is used for dynamic testing. So when any kind of application, like, a web application, needs to be tested for its security and vulnerabilities. It is also used to crawl the site and then to enumerate all the input or the possible exploitation points, and then we try to exploit any blockings within OWASP Zap.

It improved our company's functioning because it integrates and can automate most of our workflow, so it helps. Based on its automation abilities, I rate it a seven out of ten. But there are many things that I have to do manually for safety and better clarification.

I think the automation feature is the one I used the most in the tool. For the crawling and enumeration one and the feature, we can manipulate the insides of the response. So, we can manipulate web responses and use them to test a certain website's security.

Since it is a community-based tool, I am unsure if OWASP Zap is quite up to date with recent weaknesses currently exploitable in work. So, sometimes we have to add to do it manually. How to differentiate between the false positive and the true findings need improvement. In general, the shortcomings in the accuracy of the findings need to be improved.

The automation process can help us perform website attacks using the latest exploit techniques and procedures, often used in reverse scenarios. Although other commercial solutions have this feature, I hope OWASP Zap can catch up and offer similar capabilities.

I have been using the solution for four or five years. We got the information from the community that it is open-source software, so we are using it as part of the community. We are using the open-source version. It is not difficult to upgrade to the latest version.

Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high. I never found the applications crashing.

Scalability-wise, I rate the solution a five out of ten.

The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time. Five users who are IT security engineers in my company use the tool. I plan to increase the usage of the tool in the future.

Since it's a community-based tool, I rate the solution's technical support as less than five. It's community support. We do not have technical support, so we have to manually read the documentation and check the community forums.

Neutral

I rate the initial setup a ten out of ten since it is easy. The server is easily deployed because it's an open-source and free solution. I think it's very easy to install on every computer authorized to use it.

I am still currently using Burp Suite, which is free.

I can recommend others to use the solution for a quick and easy introduction to dynamic testing. But for the more advanced solution and for users like myself who understand the application suite itself for others and any organization to use the commercial solution as a proxy. I rate the overall solution a seven out of ten.

I primarily use the solution for different use cases. It's good for analysis. It also offers additional extensions you can take advantage of. There are different scan extensions you can leverage. 

It helps that we can use it hand in hand with Portswigger Burp. Since each have scanning capabilities, we can use them together and leverage whichever has the better scanning extension, depending on what we need. 

We like the functionality.

It's great that we can use it with Portswigger Burp.

There is a good community surrounding the solution. 

The initial setup is easy.

It's stable and reliable.

The solution can scale.

We'd like the solution to continue to add more extensions. 

They stopped their support for a short period. They've recently started to come back again. In the early days, support was much better. It's not as good as it was. 

I've used the solution since 2013. I've used it for quite some time. 

It is pretty stable. There are no bugs or glitches. It doesn't crash or freeze. It is reliable. 

The solution is pretty scalable. It's easy to extend as needed. 

Technical support used to be very good. Then they stopped. Now, they are coming back. However, they are behind in support services. 

I've also used Portswigger Burp. I can use both at the same time and use extensions to leverage them together. 

The setup is simple and straightforward, depending on your level of knowledge. Portswigger Burp may be a bit easier. However, both are straightforward. This is not complex to implement. It also doesn't take long to deploy.

If you can download it in five minutes, you can have it set up in seven minutes. 

This solution is open-source and free to use. 

I am using the latest version. I usually download the latest version and then use it.

Users need to read the documentation before starting. Users need to educate themselves before they start.

I'd rate the solution seven out of ten. 

Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope.

The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more.

It should have more reporting options because the reporting options are currently only in HTML, XLS, and so on, but there is nothing in PDF or Word, which makes it a bit less user-friendly. It needs more comprehensive reporting. It already has a reporting system, but it is just not user-friendly.

I have been using this solution for roughly 12 months. I am using the latest freeware version that is available on the website.

Its stability is good. 

It lacks scalability. It is only good up to a limit.

Based on my interactions, they have been very good. They take around 24 hours to get back to you because they're a very large organization that is totally into this. They are quite good. They aren't the best, but they are quite good.

Its initial setup was straightforward. It was pretty much immediate. There was no deployment issue. It was done quickly.

It was implemented in-house. In terms of maintenance, it doesn't require much maintenance. You need just one person to follow the updates. That's about it.

We have used the freeware version. I believe Zap only has freeware.

My advice would be to not look at Zap as a one-stop-shop for all your results because Zap cannot do that. Zap is very good for a certain number of basic vulnerabilities or medium to high-level issues, but it can't go beyond that. You can use Zap along with another tool. If you're doing two or three levels of security testing, you can use Zap along with other tools.

It is more of a learner tool. So, if you're using Zap, it would be best if you use it as a beginner in the field. Once you get into projects or work for people on their applications, you'll definitely end up needing something stronger.

I would rate it a five out of ten.

I use this solution for penetration tests.

It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).

It comes up in your browser and you have control of the program while you are on the website, in your browser. Everything that you can do in the program, you can do from your browser on the fly. It is similar to a targeted attack. You can see what you are doing.

It's a Java program installed on your computer.

The forced browse has been incorporated into the program and it is resource-intensive.

It was a copied program named DIR Buster Doorbuster. It needs to be improved, it's too resource-hungry.

I found another program that is written in the Go language and it does the same thing, but it is much faster and more efficient. It will crash those proxy programs within Zap if you do more than one, it will take forever.

It needs to be rewritten, maybe not in Java.

I have used OWASP quite a bit. I have dealt with this solution for quite a few years. My usage has not been constant, but it has been quite a while.

We are dealing with the most recent version.

It creates a database of all the URLs and it can get a little overwhelming. 

With a large website, you have a lot of URLs, it gets a bit sluggish when loading and saving it, but it really works quite well. It goes in and out of it and goes too slow. It takes a little while to save all of that data.

It's a scalable product but its' slow.

I have not contacted technical support.

It has a very good forum on the website. The users help each other. It's helpful and resourceful.

I have used several solutions, such as Nessus, WebInspect, and Retina. The retina is a network scanner but OWASP is the best.

It's quick to set up. You can install it in different ways. I run it on Linux, Debian and I have run it on Windows as well.

OWASP Zap is free.

I was making a comparison between OWASP and Acunetix to see what the differences were.

I used to work with Homeland security back 10, 15 years ago, in the national cybersecurity division starting up right after 9/11.

I was on that national cybersecurity team. One of the things they looked into was funding using government money to fund some of these security operations or projects. They decided, and I helped decide, that it would be right for the government to support open-source systems or products because they're not making money out of that market.

One of the people in the government got involved and helped to get it started. I don't know if they still have a list on their website of donors or contributors, but you can look on that list pretty easily and see if Homeland security is still supporting them.

I assume it is because it's really well run. It's constantly evolving new versions coming out with new features. It's very well managed and the lead person on it is very sharp. You can go on YouTube and search for a proxy and you will see some deep-dive tutorials. He did a really good job.

There is a lot to this solution. You can use it superficially, but you need to spend a lot of time learning it. It has a lot of options and a lot of angles.

I would rate OWASP Zap a nine out of ten.

We use the solution for security testing. 

OWASP Zap needs to extend to mobile application testing. 

OWASP Zap is stable. 

The tool is open-source. 

I rate the solution an eight out of ten. 

We use the product to ensure that our source code is safe enough and has no vulnerabilities before delivering a new release for our AML product. We also used the product for dynamic testing to test applications as a black box.

The report design is very useful. The explanation is very clear. It also provides additional solutions and plugins. The product discovers more vulnerabilities compared to other tools. It might have additional plugins and features for testing.

The product should allow users to customize the report based on their needs. For example, suppose the user needs to test only the vulnerability of SQL injection and not any other category or vulnerabilities. In that case, it's better to provide end users with a way to choose the subject they want to audit and the severity of the vulnerability. 

If I need to figure out only the critical or the high severity, I shouldn’t have to figure out the low severity vulnerabilities or the smell codes. These services could be helpful for the end user and save time whenever we need to generate a new report. The execution time is a little bit exaggerated. This process can optimize the report’s performance.

I have been using the solution for two to three months.

The solution is very stable. I rate the solution’s stability a nine out of ten.

Two resources from our security team work on generating and implementing reports. However, many other developers use the product to fix vulnerabilities and penetrate or audit the whole source code for products. The owner of the product and the developers are involved in the correction and the long-term plan to cover or close the vulnerability.

I rate the ease of setup an eight out of ten.

The installation is quick. It can be done in a couple of hours.

The solution’s pricing is high. I rate the pricing a nine or ten out of ten. There is an indirect cost on the resources and specs needed to deploy or implement the product. When we run the report, it consumes a lot of du from the servers.

We use SonarQube for penetration testing. We are most likely to have hybrid solutions. However, the deployment model depends on our clients, the data, and the type of product we will deploy. I didn't use automatic scalability for our deliveries and deployment. 

The solution is worth using. We've used many tools and discovered that OWASP detects multiple high vulnerabilities, which the other tools do not detect. Overall, I rate the product an eight out of ten.

We use ZAP for penetration testing. 

ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube.

ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline. 

We have used ZAP for more than six months.

ZAP is stable. 

I rate ZAP support seven out of 10. It's good. 

Neutral

Deploying ZAP is straightforward. It took me and one other person three or four days to install and configure ZAP. 

We use the community version. 

We did a POC for a tool by NetSuite, but that was a paid tool. 

I rate OWASP ZAP seven out of 10. It's an excellent penetration testing tool for developers. That scanning part is solid, but the integration with AWS and Azure pipelines could be better. 

It's running on my system. I use it to scan URLs and can check things if I find something. 

There's a way to set up jobs where you can get it to run all the processes against the target to avoid doing so manually. You can run it against multiple targets. 

It is easy to set up.

The solution is stable. 

I don't have any notes for improvements.

It should have more visibility. Everybody defaults to Burp. However, this is a free version that deserves more visibility.

There isn't too much information about it online. You need to self-teach in order to really learn how to use it. There isn't a lot of documentation available. 

It takes up a lot of memory and RAM. 

I've been using the solution for roughly six months. I've used it on and off. However, I really started using it constantly over the last six months. 

The solution is mostly stable. However, it requires a lot of RAM and memory. There are no bugs or glitches. 

It is not very scalable.

I'm the only security engineer. Only I use it in my company. 

I've never used technical support. I'm not sure how helpful or responsive they are. 

I used to use Portswigger Burp. This solution is free and has a lot of the paid versions Burp offers. I haven't used Burp Professional. I used the community version. I chose this solution as it is faster, at least compared to the community version. My understanding it the paid version of Burp is very fast.

The initial setup was very simple and straightforward. I didn't find any difficulty installing it on my system.

It takes about ten to 15 minutes to deploy. It depends on the machine you have. 

The solution is free to use. I don't pay any licensing fees. 

I'm an end-user. 

I'm not sure which version of the solution I'm using. 

I would rate the solution seven out of ten. While it is free to use, it does take up a lot of memory. I also find Burp easier to use than this product.