"The solution has good performance, it is able to compute in 10 to 15 minutes."
"The solution is scalable, but other solutions are better."
"I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy."
"The UI is very intuitive and simple to use."
"The feature that I have found most valuable is that its number of false positives is less than the other security application platforms. Its ease of use is another good feature. It also supports most of the languages."
"One of the most valuable features is it is flexible."
"The most valuable feature is the application tracking reporting."
"The most valuable feature is that it actually identifies the different criteria you can set to meet whatever standards you're trying to get your system accredited for."
"Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."
"It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."
"The solution is good at reporting the vulnerabilities of the application."
"It updates repositories and libraries quickly."
"They offer free access to some other tools."
"Automatic scanning is a valuable feature and very easy to use."
"The solution is scalable."
"The stability of the solution is very good."
"We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything."
"Checkmarx could improve by reducing the price."
"Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model."
"The integration could improve by including, for example, DevSecOps."
"They can support the remaining languages that are currently not supported. They can also create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks."
"Checkmarx could be improved with more integration with third-party software."
"The interactive application security testing, or IAST, the interactive part where you're looking at an application that lives in a runtime environment on a server or virtual machine, needs improvement."
"There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver."
"The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."
"It would be a great improvement if they could include a marketplace to add extra features to the tool."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"Lacks resources where users can internally access a learning module from the tool."
"It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."
"The solution is unable to customize reports."
"The forced browse has been incorporated into the program and it is resource-intensive."
"The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more."
Checkmarx is ranked 2nd in Application Security Testing (AST) with 24 reviews while OWASP Zap is ranked 6th in Application Security Testing (AST) with 9 reviews. Checkmarx is rated 7.6, while OWASP Zap is rated 7.2. The top reviewer of Checkmarx writes "Supports different languages, has excellent support, and easily expands". On the other hand, the top reviewer of OWASP Zap writes "Great at reporting vulnerabilities, helps with security, and reveals development threats well". Checkmarx is most compared with SonarQube, Veracode, Micro Focus Fortify on Demand, Snyk and HCL AppScan, whereas OWASP Zap is most compared with PortSwigger Burp Suite Professional, Veracode, Acunetix, Qualys Web Application Scanning and HCL AppScan. See our Checkmarx vs. OWASP Zap report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.