OWASP Zap vs OpenText Core Application Security vs PortSwigger Burp Suite Professional comparison

OpenText and OWASP are both solutions in the Static Application Security Testing (SAST) category. OpenText is ranked #12 with an average rating of 8.0, while OWASP is ranked #11 with an average rating of 8.0. OpenText holds a 4.0% mindshare in SAST, compared to OWASP’s 4.7% mindshare. Additionally, 89% of OpenText users are willing to recommend the solution, compared to 88% of OWASP users who would recommend it.

OpenText Core Application S...

Read 60 OpenText Core Application Security reviews

6,317 Views
1,218 Comparison Views

89% willing to recommend

OWASP Zap

Read 41 OWASP Zap reviews

9,575 Views
514 Comparison Views

88% willing to recommend

PortSwigger Burp Suite Prof...

Read 63 PortSwigger Burp Suite Professional reviews

3,355 Views
681 Comparison Views

98% willing to recommend

OpenText Core Application S...

OWASP Zap

PortSwigger Burp Suite Prof...

Comparison Buyer's Guide

Download the report

Executive Summary

We performed a comparison between OpenText Core Application Security, OWASP Zap, and PortSwigger Burp Suite Professional based on real PeerSpot user reviews.

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST).

To learn more, read our detailed Static Application Security Testing (SAST) Report (Updated: June 2025).

Buyer's Guide

Static Application Security Testing (SAST)

June 2025

Download the complete report

Helped 858,038 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Mindshare comparison

As of June 2025, in the Static Application Security Testing (SAST) category, the mindshare of OpenText Core Application Security is 4.0%, down from 4.6% compared to the previous year. The mindshare of OWASP Zap is 4.7%, down from 4.9% compared to the previous year. The mindshare of PortSwigger Burp Suite Professional is 2.0%, down from 2.1% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Static Application Security Testing (SAST)

Featured Reviews

Jonathan Steyn

Principal Technical Consultant at EOH

Source code analyzer, FPR file generation, reduction of false positives and generates compliance reports, for in-depth analysis

Not challenges with the product itself. The product is very reliable. It does have a steep learning curve. But, again, one thing that Fortify or OpenText does very well is training. There are a lot of free resources and training in the community forums, free training as well as commercial training where users can train on how to use the back-end systems and the scanning engines and how to use command-line arguments because some of the procedures or some of the tools do require a bit of a learning curve. That's the only challenge I've really seen for customers because you have to learn how to use the tool effectively. But Fortify has, in fact, improved its user interface and the way users engage the dashboards and the interfaces. It is intuitive. It's easy to understand. But in some regards, the cybersecurity specialist or AppSec would need a bit of training to engage the user interface and to understand how it functions. But from the point of the reliability index and how powerful the tool is, there's no challenge there. But it's just from a learning perspective; users might need a bit more skill to use the tool. The user interface isn't that tedious. It's not that difficult to understand. When I initially learned how to use the interfaces, I was able to master it within a week and was able to use it quite effectively. So training is required. All skills are needed to learn how to use the tool. I would like to see more enhancements in the dashboards. Dashboards are available. They do need some configuration and settings. But I would like to see more business intelligence capabilities within the tool. It's not particularly a cybersecurity function, but, for instance, business impact analysis or other features where you can actually use business intelligence capabilities within your security tool. That would be remarkable because not only do you have a cybersecurity tool, but you also have a tool that can give you business impact analysis and some other measurements. A bit more intelligence in terms of that from a cybersecurity perspective would be remarkable.

Read full review

Amit Beniwal

Project Manager at Al Hassan LLC

Simplifies vulnerability discovery and has high quality support

There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores. Sometimes, a vulnerability initially categorized as high severity may be reduced to medium or low over time after security patches are applied. This alignment with the present severity score and CVSS score could be improved.

Read full review

Anuradha.Kapoor Kapoor

Head - Quality Control at Net Solutions

Offers efficient scanning of entire websites but presence of false positive bugs, leading to time-consuming efforts in distinguishing real bugs from false alarms

We have found that so many times, false positive bugs are there, and then we spend a lot of time basically separating them from real bugs. So that's the reason we are looking for some other tool. So we were in discussion with Acunetix. Therefore, the false positive rate is, like, something that we would like to improve. What we are looking for is if this false positive rate goes down because we were OWASP Zap tool users, which was free anyway. But there were a lot of false positives there, and we used to spend a lot of time, like, for security reasons, reproducing those bugs for the development team to fix it. So then we thought, okay, why not we go with the tool? Even if it is not very expensive. But still, every year, we have to renew the license. And we got this tool. Again, we found that in this tool also, even if it is less, there are still a lot of false positive bugs out there. So we again have to spend so much time. So we hired a security tester, who was basically using Acunetix in his previous company for almost three years, and then you said that in that scanning is very slow. The scanning is also slow. Like, sometimes the site scan takes eight hours, six to eight hours. Yeah. And whereas in Acunetix, it took three to four hours. And plus, there are no false positives. I'm not saying none but there's very little. But here, the rate sometimes is very high. These are the two features I think we would like to improve further.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that."

"Being able to reduce risk overall is a very valuable feature for us."

"Each bank may have its own core banking applications with proprietary support for different programming languages. This makes Fortify particularly relevant and advantageous in those cases."

"This product is top-notch solution and the technology is the best on the market."

"It has saved us a lot of time as we focus primarily on programming rather than tool operational work."

"It helps deploy and track changes easily as per time-to-time market upgrades."

"The scanning capabilities, particularly for our repositories, have been invaluable."

"The most valuable features are the server, scanning, and it has helped identify issues with the security analysis."

More OpenText Core Application Security pros

"It has improved my organization with faster security tests."

"The scalability of this product is very good."

"The product helps users to scan and fix vulnerabilities in the pipeline."

"The application scanning feature is the most valuable feature."

"They offer free access to some other tools."

"The solution has tightened our security."

"The product discovers more vulnerabilities compared to other tools."

"OWASP Zap is straightforward to use. If someone doesn't have the budget for tools like Burp Suite, OWASP Zap is an excellent alternative."

More OWASP Zap pros

"The initial setup is simple."

"The technical support from PortSwigger is excellent, managing response time and quality efficiently without any issues."

"The solution scans web applications and supports APIs, which are the main features I really like."

"It helps in API testing, where manual intervention was previously necessary for each payload."

"The intercepting feature is the most valuable."

"The feature that we have found most valuable is that it comes with pre-set configurations. They have a set of predefined options where you can pick one and start scanning. We also have the option of creating our own configurations, like how often do the applications need to be scanned."

""The product is very good just the way it is; It has everything already well established and functions great. I can't see any way for this current version to be improved.""

"BurpSuite helps us to identify and fix silly mistakes that are sometimes introduced by our developers in their coding."

More PortSwigger Burp Suite Professional pros

Cons

"There are frequent complaints about false positives from Fortify."

"Integration to CI/CD pipelines could be improved. The reporting format could be more user friendly so that it is easy to read."

"There's a bit of a learning curve. Our development team is struggling with following the rules and following the new processes."

"It would be highly beneficial if Fortify on Demand incorporated runtime analysis, similar to how Contrast Security utilizes agents for proactive application security."

"With Rapid7 I utilized its reporting capabilities to deliver Client Reports within just a few minutes of checking the data. I believe that HP’s FoD Clients could sell more services to clients if HP put more effort into delivering visually pleasing reporting capabilities."

"There are lots of limitations with code technology. It cannot scan .net properly either."

"There were some regulated compliances, which were not there."

"It could have a little bit more streamlined installation procedure. Based on the things that I've done, it could also be a bit more automated. It is kind of taking a bunch of different scanners, and SSC is just kind of managing the results. The scanning doesn't really seem to be fully integrated into the SSC platform. More automation and any kind of integration in the SSC platform would definitely be good. There could be a way to initiate scans from SSC and more functionality on the server-side to initiate desk scans if it is not already available."

More OpenText Core Application Security cons

"OWASP Zap could benefit from a noise cancellation feature like that of Burp Suite Professional, where AI helps reduce certain non-critical findings."

"It needs more robust reporting tools."

"The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time."

"Deployment is somewhat complicated."

"They stopped their support for a short period. They've recently started to come back again. In the early days, support was much better."

"Sometimes, we get some false positives."

"I prefer Burp Suite to SWASP Zap because of the extensive coverage it offers."

"ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline."

More OWASP Zap cons

"Currently, the scanning is only available in the full version of Burp, and not in the Community version."

"The Burp Collaborator needs improvement. There also needs to be improved integration."

"There needs to be better documentation provided. Currently, we need to buy books, or we need to review online some use cases from other professionals who have been using the solution to find out their experience. It is not easy to find out how to properly do a security assessment."

"The scanner and crawler need to be improved."

"We wish that the Spider feature would appear in the same shape that it does in previous versions."

"Scanning APIs using PortSwigger Burp Suite Professional takes a lot of time."

"One thing that is not up to the mark in PortSwigger is web application testing. I found some issues with its performance and reporting. They should work on these and give us a better outcome."

"A lot of our interns find it difficult to get used to PortSwigger Burp's environment."

More PortSwigger Burp Suite Professional cons

Pricing and Cost Advice

"We make an annual purchase of the licenses we need."

"The solution is expensive and the price could be reduced."

"It's a yearly contract, but I don't remember the dollar amount."

"It is not more expensive than other solutions, but the pricing is competitive."

"Micro Focus Fortify on Demand licenses are managed by our IT team and the license model is user-based."

"Fortify on Demand is moderately priced, but its pricing could be more flexible."

"We used the one-time application, Security Scan Dynamic. I believe the original fee was $8,000."

"The product's cost depends on the type of license."

More OpenText Core Application Security pricing and cost advice

"It's free and open, currently under the Apache 2 license. If ZAP does what you need it to do, selling a free solution is a very easy."

"We have used the freeware version. I believe Zap only has freeware."

"This is an open-source solution and can be used free of charge."

"It is open source, and we can scan freely."

"The tool is open source."

"The solution’s pricing is high."

"As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out."

"The tool is open-source."

More OWASP Zap pricing and cost advice

"PortSwigger Burp Suite Professional is an expensive solution."

"At $400 or $500 per license paid annually, it is a very cheap tool."

"The cost is approximately $500 for a single license, and there are no additional costs beyond the standard licensing fees."

"This solution requires a license. It is expensive but you receive a lot of functionality for the price."

"It is expensive for us in Brazil because the currency exchange rate from a dollar to a Brazilian Real is quite steep."

"The pricing of the solution is cost-effective and is best suited for small and medium-sized businesses."

"There are different licenses available that include a free version."

"It has a yearly license. I am satisfied with its price."

More PortSwigger Burp Suite Professional pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.

See recommendations

858,038 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Financial Services Firm

19%

Manufacturing Company

15%

Computer Software Company

11%

Government

Computer Software Company

17%

Financial Services Firm

12%

Manufacturing Company

Government

Computer Software Company

15%

Financial Services Firm

13%

Government

11%

Manufacturing Company

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

Questions from the Community

What do you like most about Micro Focus Fortify on Demand?

It helps deploy and track changes easily as per time-to-time market upgrades.

See all answers

What is your experience regarding pricing and costs for Micro Focus Fortify on Demand?

In comparison with other tools, they're competitive. It is not more expensive than other solutions, but their pricing...

See all answers

What needs improvement with Micro Focus Fortify on Demand?

There are frequent complaints about false positives from Fortify. One day it may pass a scan with no issues, and the ...

See all answers

Is OWASP Zap better than PortSwigger Burp Suite Pro?

OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available...

See all answers

What do you like most about OWASP Zap?

The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan web...

See all answers

What is your experience regarding pricing and costs for OWASP Zap?

OWASP might be cost-effective, however, people prefer to use the free edition available as open source.

See all answers

What do you like most about PortSwigger Burp Suite Professional?

The solution helped us discover vulnerabilities in our applications.

See all answers

What is your experience regarding pricing and costs for PortSwigger Burp Suite Professional?

I find the price of PortSwigger Burp Suite Professional to be very cost-efficient.

See all answers

What needs improvement with PortSwigger Burp Suite Professional?

The dashboard of PortSwigger Burp Suite Professional could be made more user-friendly.

See all answers

Comparisons

SonarQube Server (formerly SonarQube) vs OpenText Core Application Security

Compared 18% of the time

Checkmarx One vs OpenText Core Application Security

Compared 13% of the time

Veracode vs OpenText Core Application Security

Compared 12% of the time

Coverity vs OpenText Core Application Security

Compared 11% of the time

OpenText Dynamic Application Security Testing vs OpenText Core Application Security

Compared 4% of the time

More OpenText Core Application Security Competitors

SonarQube Server (formerly SonarQube) vs OWASP Zap

Compared 20% of the time

Acunetix vs OWASP Zap

Compared 16% of the time

Checkmarx One vs OWASP Zap

Compared 10% of the time

Qualys Web Application Scanning vs OWASP Zap

Compared 9% of the time

SonarQube Cloud (formerly SonarCloud) vs OWASP Zap

Compared 3% of the time

More OWASP Zap Competitors

Acunetix vs PortSwigger Burp Suite Professional

Compared 18% of the time

OpenText Dynamic Application Security Testing vs PortSwigger Burp Suite Professional

Compared 14% of the time

SonarQube Server (formerly SonarQube) vs PortSwigger Burp Suite Professional

Compared 8% of the time

HCL AppScan vs PortSwigger Burp Suite Professional

Compared 6% of the time

w3af vs PortSwigger Burp Suite Professional

Compared 1% of the time

More PortSwigger Burp Suite Professional Competitors

Product Reports

Buyer's Guide

OpenText Core Application Security

June 2025

OpenText Core Application Security report

Download OpenText Core Application Security product report

Buyer's Guide

OWASP Zap

May 2025

Download OWASP Zap product report

Buyer's Guide

PortSwigger Burp Suite Professional

May 2025

PortSwigger Burp Suite Professional report

Download PortSwigger Burp Suite Professional product report

Also Known As

Micro Focus Fortify on Demand

No data available

Burp

Overview

OpenText Core Application Security offers robust features like static and dynamic scanning, real-time vulnerability tracking, and seamless integration with development platforms, designed to enhance code security and reduce operational costs.

OpenText Core Application Security is a cloud-based, on-demand service providing accurate and deep scanning capabilities with detailed reporting. Its integrations with development platforms ensure an enhanced security layer in the development lifecycle, benefiting users by lowering operational costs and facilitating efficient remediation. The platform addresses needs for intuitive interfaces, API support, and comprehensive vulnerability assessments, helping improve code security and accelerate time-to-market. Despite its strengths, challenges exist around false positives, report clarity, and language support, alongside confusing pricing and package options. Enhancements are sought in areas like CI/CD pipeline configuration, report visualization, scan times, and integration with third-party tools such as GitLab, container scanning, and software composition analysis.

What features define OpenText Core Application Security?

Static and Dynamic Scanning: Offers thorough analysis to identify vulnerabilities during development.
Real-time Vulnerability Tracking: Continuously updates and monitors potential security threats.
Seamless Development Platform Integration: Enhances security processes without disrupting workflows.
Cloud-Based Service: Provides flexible, on-demand security capabilities with accurate results.
API Support: Allows smooth integration and automation within existing systems.

What benefits should users look for in reviews?

Reduced Operational Costs: Optimizes resources by lowering costs associated with security management.
Efficient Remediation: Speeds up the process of identifying and resolving vulnerabilities.
Enhanced Code Security: Strengthens overall application security during the development lifecycle.
Accelerated Time-to-Market: Streamlines development stages by integrating essential security tools.

Industries like mobile applications, e-commerce, and banking leverage OpenText Core Application Security for its ability to identify vulnerabilities such as SQL injections. Integrating seamlessly with DevSecOps and security auditing processes, this tool supports developers in writing safer code, ensuring secure application deployment and enhancing software assurance.

OpenText

OWASP Zap is a free and open-source web application security scanner.

The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues.

With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.

OWASP

Burp Suite Professional, by PortSwigger, is the world’s leading toolkit for web security testing. Over 52,000 users worldwide, across all industries and organization sizes, trust Burp Suite Professional to find more vulnerabilities, faster. With expertly-engineered manual and automated tooling, you're able to test smarter - not harder.

PortSwigger is the web security company that is enabling the world to secure the web. Over 50,000 security engineers rely on our software and expertise to secure their world.

PortSwigger

Sample Customers

SAP, Aaron's, British Gas, FICO, Cox Automative, Callcredit Information Group, Vital and more.

1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS

Google, Amazon, NASA, FedEx, P&G, Salesforce

Buyer's Guide

Static Application Security Testing (SAST)

June 2025

Download Free Report

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST). Updated: June 2025.

DOWNLOAD NOW

858,038 professionals have used our research since 2012.