IT Central Station is now PeerSpot: Here's why

Checkmarx vs OWASP Zap comparison

Cancel
You must select at least 2 products to compare!
Checkmarx Logo
42,080 views|32,811 comparisons
OWASP Logo
29,691 views|18,409 comparisons
Featured Review
Buyer's Guide
Checkmarx vs. OWASP Zap
July 2022
Find out what your peers are saying about Checkmarx vs. OWASP Zap and other solutions. Updated: July 2022.
621,548 professionals have used our research since 2012.
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"The solution has good performance, it is able to compute in 10 to 15 minutes.""The solution is scalable, but other solutions are better.""I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy.""The UI is very intuitive and simple to use.""The feature that I have found most valuable is that its number of false positives is less than the other security application platforms. Its ease of use is another good feature. It also supports most of the languages.""One of the most valuable features is it is flexible.""The most valuable feature is the application tracking reporting.""The most valuable feature is that it actually identifies the different criteria you can set to meet whatever standards you're trying to get your system accredited for."

More Checkmarx Pros →

"Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope.""It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).""The solution is good at reporting the vulnerabilities of the application.""It updates repositories and libraries quickly.""They offer free access to some other tools.""Automatic scanning is a valuable feature and very easy to use.""The solution is scalable.""The stability of the solution is very good."

More OWASP Zap Pros →

Cons
"We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything.""Checkmarx could improve by reducing the price.""Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model.""The integration could improve by including, for example, DevSecOps.""They can support the remaining languages that are currently not supported. They can also create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks.""Checkmarx could be improved with more integration with third-party software.""The interactive application security testing, or IAST, the interactive part where you're looking at an application that lives in a runtime environment on a server or virtual machine, needs improvement.""There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver."

More Checkmarx Cons →

"The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed.""It would be a great improvement if they could include a marketplace to add extra features to the tool.""Zap could improve by providing better reports for security and recommendations for the vulnerabilities.""Lacks resources where users can internally access a learning module from the tool.""It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful.""The solution is unable to customize reports.""The forced browse has been incorporated into the program and it is resource-intensive.""The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more."

More OWASP Zap Cons →

Pricing and Cost Advice
  • "It's relatively expensive."
  • "The interface used to create custom rules comes at an additional cost."
  • "The number of users and coverage for languages will have an impact on the cost of the license."
  • "Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive."
  • "It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing."
  • "Most of my customers opted for a perpetual license. They prefer to pay the highest amount up front for the perpetual license and then pay for additional support annually."
  • "We have purchased an annual license to use this solution. The price is reasonable."
  • "We're using a commercial version of Checkmarx, and we paid for the solution for one year. The price is high and could be reduced."
  • More Checkmarx Pricing and Cost Advice →

  • "This solution is open source and free."
  • "We have used the freeware version. I believe Zap only has freeware."
  • More OWASP Zap Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Application Security Testing (AST) solutions are best for your needs.
    621,548 professionals have used our research since 2012.
    Questions from the Community
    Top Answer:I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
    Top Answer:JaeLee, check out our comparison page hereof Veracode vs Checkmarx: https://www.itcentralstation.c... Checkmarx is ranked 4th, while Veracode is ranked 1st with 39 reviews. Checkmarx is rated 8.0,… more »
    Top Answer:I’ve always viewed sonarqube as a code quality tool that compliments many code security tools like a checkmarx. 
    Top Answer:OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available with basic security vulnerabilities while Burp Suite Pro has it available with… more »
    Top Answer:The solution has tightened our security.
    Top Answer:We have used the freeware version. I believe Zap only has freeware.
    Ranking
    Views
    42,080
    Comparisons
    32,811
    Reviews
    20
    Average Words per Review
    460
    Rating
    7.6
    Views
    29,691
    Comparisons
    18,409
    Reviews
    9
    Average Words per Review
    509
    Rating
    7.1
    Comparisons
    Learn More
    Overview

    Checkmarx is a highly accurate and flexible static code analysis product that allows organizations to automatically scan uncompiled code and identify hundreds of security vulnerabilities in all major coding languages and software frameworks. Checkmarx is available as a standalone product and can be effectively integrated into the software development lifecycle (SDLC) to streamline vulnerability detection and remediation. Checkmarx is trusted by leading organizations such as SAP, Samsung, and Salesforce.com.

    Checkmarx is a global leader in software security solutions for modern software development. Checkmarx delivers a comprehensive software security platform that unites with DevOps by scanning uncompiled source code for security vulnerabilities early in the development life cycle to reduce and remediate risk from software vulnerabilities. Using Checkmarx, teams avoid software security vulnerabilities managed via a single and unified dashboard without slowing down their delivery schedule.

    Checkmarx balances the needs of the entire organization, delivering seamless security from the start and throughout the entire software development life cycle. Checkmarx can be deployed on-premises in a private data center or hosted via a public cloud.

    Checkmarx Features

    Some of Checkmarx’s features include:

    • Source code scanning: Detect and repair more vulnerabilities before you release your code.

    • Open-source scanning: Find and eliminate the risks in your open-source code.

    • Interactive code scanning: Scan for vulnerabilities and runtime threats.

    • Open-source security for infrastructure as code: Identify and fix insecure IaC configurations that put your application at risk.

    Reviews from Real Users

    Checkmarx stands out among its competitors for a number of reasons. Two major ones are its ability to enable developers to secure their code with a single management dashboard and its high-speed scanning abilities.

    PeerSpot users note the effectiveness of these features. A CEO at a tech services company writes, “The most valuable features are the easy-to-understand interface, and it’s very user-friendly. We spend some time tuning to start scanning a new project, which is only a few clicks. A few simple tunes for custom rules and we can start our scan. We can do the work quickly and we don't need to compile the source code because Checkmarx does the work without compiling the project. The scanning is very quick. It's about 20,000 lines per hour, which is a good speed for scanning.”

    A director at a tech services company notes, “The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important.”

    A senior manager at a manufacturing company writes, “The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."

    OWASP ZAP (Zed Attack Proxy) is a free, open-source web application security scanner that enables software developers and testers to perform penetration testing on their applications to discover vulnerabilities and prevent hostile attacks. To date, it is one of the most searched Open Web Application Security Project (OWASP) projects, and an international group of volunteers is maintaining it. This tool is both flexible and extensible and is intended to be used by users who are new to application security as well as expert testers. For the users' convenience, OWASP ZAP has versions for each major OS and Docker platform so as not to rely on any single OS.

    OWASP ZAP focuses on being the “middle man proxy,” as it is positioned between the user’s browser and the web application. In doing so, it will intercept and examine messages that are sent between a browser and a web application. If needed, it will adjust the contents and pass those packets on to their destination. As is the case in many corporate settings, if there is already another network proxy in use, ZAP can be configured to join that proxy. A variety of add-ons for further functionality is available on ZAP Marketplace.

    OWASP ZAP offers a range of security automation options, including:

    • Docker Packaged Scans: A ZAP automation scanner that provides a lot of flexibility and makes it easy for the user to get started with the tool.

    • Quick Start Command Line: A rapid and straightforward scanner that is suitable for a quick scan.

    • API and Daemon Mode: Through a comprehensive API, this mode gives the user complete control over ZAP.

    • Automation Framework: A state-of-the-art framework that is not tied to any current container technology. This framework will, in time, take over the Command Line and the Package Scan options.

    • GitHub Actions: The ability to use any associated and available GitHub package scan.

    Benefits of OWASP ZAP

    Some of OWASP ZAP’s benefits include:

    • The ability to run an automated scan. Once set up, ZAP will deploy two spiders to crawl the web application and subsequently scan each page it finds.

    • It interprets your results and sends an automated alert. After scanning the web application, all requests and responses sent to each page are recorded. If there is a potential problem, an alert is created and sent to the user.

    • An intuitive and innovative interface. The Heads Up Display (HUD) is a new feature that provides capabilities right in the browser. It is great for people new to web security and experienced testers alike.

    Reviews from Real Users

    OWASP ZAP stands out among its competitors for a number of reasons. Among them are the solution’s automatic scanning feature, its ease of use, its ability to report vulnerabilities, and its being a free open-source solution..

    PeerSpot user Piyush S., Technical Specialist (DevOps), notes that "Automatic scanning is a valuable feature and very easy to use. The initial setup is straightforward. The solution is free due to the fact that it is open-source. The product has a strong community surrounding it to help with issues and troubleshooting. The stability of the solution is very good."

    Raj K., Business Analyst at Experion Technologies, notes, “The valuable features are that it's very simple to use and the user interface is very good, particularly for beginners so they can start the application easily. It's enough to refer to an online tutorial to be able to start using this application. It's not very complex.”

    Balaji S., Assistant Vice President at Hexaware Technologies Limited, writes, “The solution is good at reporting the vulnerabilities of the application. It can help us with security, SQL injection vulnerability, known vulnerabilities, et cetera. Any kind of a threat that we get in the development cycle, is what we will look for. This solution helps us find them.

    Many users like how the solution has improved over the years. As Alan G., CEO at Virtual Security International, notes, "It has evolved over the years, and recently in the last year they have added HUD (Heads Up Display)."

    Offer
    Learn more about Checkmarx
    Learn more about OWASP Zap
    Sample Customers
    YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
    Information Not Available
    Top Industries
    REVIEWERS
    Computer Software Company38%
    Financial Services Firm19%
    Pharma/Biotech Company10%
    Manufacturing Company10%
    VISITORS READING REVIEWS
    Computer Software Company24%
    Financial Services Firm19%
    Comms Service Provider12%
    Manufacturing Company6%
    REVIEWERS
    Computer Software Company33%
    Financial Services Firm17%
    Retailer8%
    Manufacturing Company8%
    VISITORS READING REVIEWS
    Computer Software Company26%
    Comms Service Provider25%
    Financial Services Firm6%
    Government6%
    Company Size
    REVIEWERS
    Small Business39%
    Midsize Enterprise16%
    Large Enterprise45%
    VISITORS READING REVIEWS
    Small Business13%
    Midsize Enterprise12%
    Large Enterprise75%
    REVIEWERS
    Small Business17%
    Midsize Enterprise29%
    Large Enterprise54%
    VISITORS READING REVIEWS
    Small Business19%
    Midsize Enterprise19%
    Large Enterprise63%
    Buyer's Guide
    Checkmarx vs. OWASP Zap
    July 2022
    Find out what your peers are saying about Checkmarx vs. OWASP Zap and other solutions. Updated: July 2022.
    621,548 professionals have used our research since 2012.

    Checkmarx is ranked 2nd in Application Security Testing (AST) with 24 reviews while OWASP Zap is ranked 6th in Application Security Testing (AST) with 9 reviews. Checkmarx is rated 7.6, while OWASP Zap is rated 7.2. The top reviewer of Checkmarx writes "Supports different languages, has excellent support, and easily expands". On the other hand, the top reviewer of OWASP Zap writes "Great at reporting vulnerabilities, helps with security, and reveals development threats well". Checkmarx is most compared with SonarQube, Veracode, Micro Focus Fortify on Demand, Snyk and HCL AppScan, whereas OWASP Zap is most compared with PortSwigger Burp Suite Professional, Veracode, Acunetix, Qualys Web Application Scanning and HCL AppScan. See our Checkmarx vs. OWASP Zap report.

    See our list of best Application Security Testing (AST) vendors.

    We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.