IT Central Station is now PeerSpot: Here's why

Fortify WebInspect vs OWASP Zap comparison

Cancel
You must select at least 2 products to compare!
Micro Focus Logo
7,658 views|5,137 comparisons
OWASP Logo
29,691 views|18,409 comparisons
Featured Review
Buyer's Guide
Fortify WebInspect vs. OWASP Zap
May 2022
Find out what your peers are saying about Fortify WebInspect vs. OWASP Zap and other solutions. Updated: May 2022.
621,548 professionals have used our research since 2012.
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"Reporting, centralized dashboard, and bird's eye view of all vulnerabilities are the most valuable features.""The solution is able to detect a wide range of vulnerabilities. It's better at it than other products.""Fortify WebInspect is a scalable solution, it is good for a lot of applications.""The solution is easy to use.""The most valuable feature of this solution is the ability to make our customers more secure.""When we are integrating it with SSC, we're able to scan and trace and see all of the vulnerabilities. Comparison is easy in SSC."

More Fortify WebInspect Pros →

"It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).""The stability of the solution is very good.""The solution is good at reporting the vulnerabilities of the application.""It updates repositories and libraries quickly.""The solution is scalable.""They offer free access to some other tools.""Automatic scanning is a valuable feature and very easy to use.""Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."

More OWASP Zap Pros →

Cons
"The scanner could be better.""A localized version, for example, in Korean would be a big improvement to this solution.""Lately, we've seen more false negatives.""It requires improvement in terms of scanning. The application scan heavily utilizes the resources of an on-premise server. 32 GB RAM is very high for an enterprise web application.""Fortify WebInspect could improve user-friendliness. Additionally, it is very bulky to use."

More Fortify WebInspect Cons →

"Reporting format has no output, is cluttered and very long.""Zap could improve by providing better reports for security and recommendations for the vulnerabilities.""It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful.""Lacks resources where users can internally access a learning module from the tool.""It would be a great improvement if they could include a marketplace to add extra features to the tool.""The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed.""The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more.""The forced browse has been incorporated into the program and it is resource-intensive."

More OWASP Zap Cons →

Pricing and Cost Advice
  • "Its price is almost similar to the price of AppScan. Both of them are very costly. Its price could be reduced because it can be very costly for unlimited IT scans, etc. I'm not sure, but it can go up to $40,000 to $50,000 or more than that."
  • "The price is okay."
  • "This solution is very expensive."
  • More Fortify WebInspect Pricing and Cost Advice →

  • "This solution is open source and free."
  • "We have used the freeware version. I believe Zap only has freeware."
  • More OWASP Zap Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Dynamic Application Security Testing (DAST) solutions are best for your needs.
    621,548 professionals have used our research since 2012.
    Questions from the Community
    Top Answer:I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
    Top Answer:When we are integrating it with SSC, we're able to scan and trace and see all of the vulnerabilities. Comparison is easy in SSC.
    Top Answer:OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available with basic security vulnerabilities while Burp Suite Pro has it available with… more »
    Top Answer:The solution has tightened our security.
    Top Answer:We have used the freeware version. I believe Zap only has freeware.
    Ranking
    Views
    7,658
    Comparisons
    5,137
    Reviews
    4
    Average Words per Review
    373
    Rating
    7.5
    Views
    29,691
    Comparisons
    18,409
    Reviews
    9
    Average Words per Review
    509
    Rating
    7.1
    Comparisons
    Also Known As
    Micro Focus WebInspect, WebInspect
    Learn More
    Overview

    Fortify WebInspect is an automated DAST solution that helps security professionals and QA testers uncover security vulnerabilities and configuration concerns by providing complete vulnerability detection. This is accomplished by mimicking real-world external security attacks on a live application in order to discover and prioritize concerns for root-cause study. Fortify WebInspect provides a number of REST APIs for easier integration, as well as the ability to be maintained via an intuitive UI or totally automated.

    Fortify WebInspect may be used as a completely automated solution to suit DevOps and scaling requirements, and it integrates seamlessly with the SDLC. REST APIs aid in closer integration by automating scans and ensuring that compliance standards are satisfied. Users can make use of pre-built integrations for Micro Focus Lifecycle Management (ALM) and Quality Center, as well as other security testing and management platforms.

    Teams may reuse current scripts and tools thanks to powerful connectors. Any Selenium script can be simply integrated with Fortify WebInspect. Fortify WebInspect supports Swagger and OData formats via the WISwag command line tool, allowing it to work with any DevOps workflow. A scan template can be pre-configured by ScanCentral Admin and sent to users to scan their apps, with zero security knowledge required.

    Fortify WebInspect Features

    Fortify WebInspect has many valuable key features. Some of the most useful ones include:

    • Security testing of functional applications (FAST): FAST can use all of the functional tests in the same way as IAST does, but it will continue crawling. FAST will not miss anything that a functional test misses.
    • Insights from a hacker's perspective: View discoveries such as client-side frameworks and version number. These are findings that, if not addressed, could lead to vulnerabilities.
    • Workflow macros HAR files: Fortify WebInspect can scan workflows with HAR files, ensuring that crucial content is not missed.
    • Management of compliance: Preconfigured policies and reports for all key online application security compliance regulations, such as PCI DSS, DISA STIG, NIST 800-53, ISO 27K, OWASP, and HIPAA.
    • Horizontal scaling can help you speed up your work: Using Kubernetes, horizontal scaling creates little versions of WebInspect that only process JavaScript. This allows the scans to run in parallel, resulting in significantly faster scans.
    • Scan any API for better accuracy: Get the complete picture on APIs, including SOAP, Rest, Swagger, OpenAPI, and Postman.
    • Managing the security of enterprise applications: To meet DevOps requirements, monitor trends within an application and take action on the most critical issues first.
    • Deployment options: With the flexibility of on-premise, SaaS, or AppSec-as-a-service, you can get started immediately and scale as needed.

    Fortify WebInspect Benefits

    There are many benefits to implementing Fortify WebInspect. Some of the biggest advantages the solution offers include:

    • Vulnerabilities are discovered faster and earlier.
    • Automation and agent technology can help you save time.
    • Users can utilize crawl web technologies and modern frameworks.
    • ScanCentral DAST helps you manage enterprise app security risk.

    Reviews from Real Users

    Fortify WebInspect stands out among its competitors for a number of reasons. One major one is its robust centralized dashboard, which gives insight into all vulnerabilities.

    Milin S., an Information Security Architect at a real estate/law firm, writes of the product, “Reporting, centralized dashboard, and bird's eye view of all vulnerabilities are the most valuable features. The vulnerability management part of it is very easy. We can suppress or comment on each vulnerability and assign a vulnerability to an individual risk owner, which makes the work easy.”

    OWASP ZAP (Zed Attack Proxy) is a free, open-source web application security scanner that enables software developers and testers to perform penetration testing on their applications to discover vulnerabilities and prevent hostile attacks. To date, it is one of the most searched Open Web Application Security Project (OWASP) projects, and an international group of volunteers is maintaining it. This tool is both flexible and extensible and is intended to be used by users who are new to application security as well as expert testers. For the users' convenience, OWASP ZAP has versions for each major OS and Docker platform so as not to rely on any single OS.

    OWASP ZAP focuses on being the “middle man proxy,” as it is positioned between the user’s browser and the web application. In doing so, it will intercept and examine messages that are sent between a browser and a web application. If needed, it will adjust the contents and pass those packets on to their destination. As is the case in many corporate settings, if there is already another network proxy in use, ZAP can be configured to join that proxy. A variety of add-ons for further functionality is available on ZAP Marketplace.

    OWASP ZAP offers a range of security automation options, including:

    • Docker Packaged Scans: A ZAP automation scanner that provides a lot of flexibility and makes it easy for the user to get started with the tool.

    • Quick Start Command Line: A rapid and straightforward scanner that is suitable for a quick scan.

    • API and Daemon Mode: Through a comprehensive API, this mode gives the user complete control over ZAP.

    • Automation Framework: A state-of-the-art framework that is not tied to any current container technology. This framework will, in time, take over the Command Line and the Package Scan options.

    • GitHub Actions: The ability to use any associated and available GitHub package scan.

    Benefits of OWASP ZAP

    Some of OWASP ZAP’s benefits include:

    • The ability to run an automated scan. Once set up, ZAP will deploy two spiders to crawl the web application and subsequently scan each page it finds.

    • It interprets your results and sends an automated alert. After scanning the web application, all requests and responses sent to each page are recorded. If there is a potential problem, an alert is created and sent to the user.

    • An intuitive and innovative interface. The Heads Up Display (HUD) is a new feature that provides capabilities right in the browser. It is great for people new to web security and experienced testers alike.

    Reviews from Real Users

    OWASP ZAP stands out among its competitors for a number of reasons. Among them are the solution’s automatic scanning feature, its ease of use, its ability to report vulnerabilities, and its being a free open-source solution..

    PeerSpot user Piyush S., Technical Specialist (DevOps), notes that "Automatic scanning is a valuable feature and very easy to use. The initial setup is straightforward. The solution is free due to the fact that it is open-source. The product has a strong community surrounding it to help with issues and troubleshooting. The stability of the solution is very good."

    Raj K., Business Analyst at Experion Technologies, notes, “The valuable features are that it's very simple to use and the user interface is very good, particularly for beginners so they can start the application easily. It's enough to refer to an online tutorial to be able to start using this application. It's not very complex.”

    Balaji S., Assistant Vice President at Hexaware Technologies Limited, writes, “The solution is good at reporting the vulnerabilities of the application. It can help us with security, SQL injection vulnerability, known vulnerabilities, et cetera. Any kind of a threat that we get in the development cycle, is what we will look for. This solution helps us find them.

    Many users like how the solution has improved over the years. As Alan G., CEO at Virtual Security International, notes, "It has evolved over the years, and recently in the last year they have added HUD (Heads Up Display)."

    Offer
    Learn more about Fortify WebInspect
    Learn more about OWASP Zap
    Sample Customers
    Aaron's
    Information Not Available
    Top Industries
    REVIEWERS
    Real Estate/Law Firm29%
    Financial Services Firm29%
    Consumer Goods Company14%
    Manufacturing Company14%
    VISITORS READING REVIEWS
    Computer Software Company28%
    Comms Service Provider13%
    Government13%
    Financial Services Firm10%
    REVIEWERS
    Computer Software Company33%
    Financial Services Firm17%
    Retailer8%
    Manufacturing Company8%
    VISITORS READING REVIEWS
    Computer Software Company26%
    Comms Service Provider25%
    Financial Services Firm6%
    Government6%
    Company Size
    REVIEWERS
    Small Business21%
    Midsize Enterprise7%
    Large Enterprise71%
    VISITORS READING REVIEWS
    Small Business14%
    Midsize Enterprise13%
    Large Enterprise72%
    REVIEWERS
    Small Business17%
    Midsize Enterprise29%
    Large Enterprise54%
    VISITORS READING REVIEWS
    Small Business19%
    Midsize Enterprise19%
    Large Enterprise63%
    Buyer's Guide
    Fortify WebInspect vs. OWASP Zap
    May 2022
    Find out what your peers are saying about Fortify WebInspect vs. OWASP Zap and other solutions. Updated: May 2022.
    621,548 professionals have used our research since 2012.

    Fortify WebInspect is ranked 1st in Dynamic Application Security Testing (DAST) with 6 reviews while OWASP Zap is ranked 6th in Application Security Testing (AST) with 9 reviews. Fortify WebInspect is rated 7.0, while OWASP Zap is rated 7.2. The top reviewer of Fortify WebInspect writes "Good reporting and vulnerability management, but needs better performance and resource utilization". On the other hand, the top reviewer of OWASP Zap writes "Great at reporting vulnerabilities, helps with security, and reveals development threats well". Fortify WebInspect is most compared with Micro Focus Fortify on Demand, PortSwigger Burp Suite Professional, Veracode, HCL AppScan and Acunetix, whereas OWASP Zap is most compared with PortSwigger Burp Suite Professional, Veracode, Acunetix, Qualys Web Application Scanning and Invicti. See our Fortify WebInspect vs. OWASP Zap report.

    We monitor all Dynamic Application Security Testing (DAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.