"The most valuable feature of HCL AppScan is scanning QR codes."
"It identifies all the URLs and domains on its own and then performs tests and provides the results."
"The HCL AppScan turnaround time for Burp Suite or any new feature request is pretty good, and that is why we are sticking with the HCL."
"AppScan is stable."
"There's extensive functionality with custom rules and a custom knowledge base."
"It was easy to set up."
"The solution offers services in a few specific development languages."
"The stability of the solution is very good."
"They offer free access to some other tools."
"Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."
"It updates repositories and libraries quickly."
"The solution is good at reporting the vulnerabilities of the application."
"The solution is scalable."
"It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."
"Simple to use, good user interface."
"The dashboard, for AppScan or the Fortified fast tool, which we use needs to be improved."
"The solution could improve by having a mobile version."
"The solution often has a high number of false positives. It's an aspect they really need to improve upon."
"One thing which I think can be improved is the CI/CD Integration"
"AppScan is too complicated and should be made more user-friendly."
"They have to improve support."
"Sometimes it doesn't work so well."
"Reporting format has no output, is cluttered and very long."
"The documentation needs to be improved because I had to learn everything from watching YouTube videos."
"Too many false positives; test reports could be improved."
"The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more."
"It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."
"The forced browse has been incorporated into the program and it is resource-intensive."
"The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."
"The solution is unable to customize reports."
IBM Security AppScan enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance. By scanning your web and mobile applications prior to deployment, AppScan enables you to identify security vulnerabilities and generate reports and fix recommendations.
OWASP ZAP (Zed Attack Proxy) is a free, open-source web application security scanner that enables software developers and testers to perform penetration testing on their applications to discover vulnerabilities and prevent hostile attacks. To date, it is one of the most searched Open Web Application Security Project (OWASP) projects, and an international group of volunteers is maintaining it. This tool is both flexible and extensible and is intended to be used by users who are new to application security as well as expert testers. For the users' convenience, OWASP ZAP has versions for each major OS and Docker platform so as not to rely on any single OS.
OWASP ZAP focuses on being the “middle man proxy,” as it is positioned between the user’s browser and the web application. In doing so, it will intercept and examine messages that are sent between a browser and a web application. If needed, it will adjust the contents and pass those packets on to their destination. As is the case in many corporate settings, if there is already another network proxy in use, ZAP can be configured to join that proxy. A variety of add-ons for further functionality is available on ZAP Marketplace.
OWASP ZAP offers a range of security automation options, including:
Benefits of OWASP ZAP
Some of OWASP ZAP’s benefits include:
Reviews from Real Users
OWASP ZAP stands out among its competitors for a number of reasons. Among them are the solution’s automatic scanning feature, its ease of use, its ability to report vulnerabilities, and its being a free open-source solution..
PeerSpot user Piyush S., Technical Specialist (DevOps), notes that "Automatic scanning is a valuable feature and very easy to use. The initial setup is straightforward. The solution is free due to the fact that it is open-source. The product has a strong community surrounding it to help with issues and troubleshooting. The stability of the solution is very good."
Raj K., Business Analyst at Experion Technologies, notes, “The valuable features are that it's very simple to use and the user interface is very good, particularly for beginners so they can start the application easily. It's enough to refer to an online tutorial to be able to start using this application. It's not very complex.”
Balaji S., Assistant Vice President at Hexaware Technologies Limited, writes, “The solution is good at reporting the vulnerabilities of the application. It can help us with security, SQL injection vulnerability, known vulnerabilities, et cetera. Any kind of a threat that we get in the development cycle, is what we will look for. This solution helps us find them.
Many users like how the solution has improved over the years. As Alan G., CEO at Virtual Security International, notes, "It has evolved over the years, and recently in the last year they have added HUD (Heads Up Display)."
HCL AppScan is ranked 11th in Application Security Testing (AST) with 7 reviews while OWASP Zap is ranked 6th in Application Security Testing (AST) with 10 reviews. HCL AppScan is rated 7.0, while OWASP Zap is rated 7.0. The top reviewer of HCL AppScan writes "Improves application security, identifies gaps, and performs well". On the other hand, the top reviewer of OWASP Zap writes "Great at reporting vulnerabilities, helps with security, and reveals development threats well". HCL AppScan is most compared with SonarQube, Veracode, Micro Focus Fortify on Demand, PortSwigger Burp Suite Professional and Fortify WebInspect, whereas OWASP Zap is most compared with PortSwigger Burp Suite Professional, Veracode, Acunetix, Qualys Web Application Scanning and SonarCloud. See our HCL AppScan vs. OWASP Zap report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.