IT Central Station is now PeerSpot: Here's why

OWASP Zap vs Qualys Web Application Scanning comparison

Cancel
You must select at least 2 products to compare!
Q&A Highlights
Question: What is the biggest difference between OWASP Zap and Qualys?
Answer: por ahora estoy usando Owasp Zap, es muy intuitivo y sus reportes muy detallados, probe con burp suite pero no me convencio por el cosoto
Featured Review
Buyer's Guide
OWASP Zap vs. Qualys Web Application Scanning
July 2022
Find out what your peers are saying about OWASP Zap vs. Qualys Web Application Scanning and other solutions. Updated: July 2022.
621,548 professionals have used our research since 2012.
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).""Automatic scanning is a valuable feature and very easy to use.""The solution is scalable.""The solution is good at reporting the vulnerabilities of the application.""The solution has tightened our security.""They offer free access to some other tools.""It updates repositories and libraries quickly.""The stability of the solution is very good."

More OWASP Zap Pros →

"It works with many different products.""Qualys' process of updating signatures is something we really appreciate, and it's way ahead of its industry peers.""The feature that I have found most valuable is the progressive scan. It is good. It's done in 24 hours.""It is a very stable solution.""Qualys WAS' most valuable features are the navigation flow of the UI and the option for a different layer of security (identification and operation through email and mobile).""I have found the detection of vulnerabilities tool thorough with good results and the graphical display output to be wonderful and full of colors. It allows many types of outputs, such as bar and chart previews.""It is easy to use."

More Qualys Web Application Scanning Pros →

Cons
"It would be a great improvement if they could include a marketplace to add extra features to the tool.""Zap could improve by providing better reports for security and recommendations for the vulnerabilities.""Reporting format has no output, is cluttered and very long.""Lacks resources where users can internally access a learning module from the tool.""The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed.""The solution is unable to customize reports.""The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more.""It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."

More OWASP Zap Cons →

"There could be better management and faster scanning.""The UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs.""When comparing this solution to Veracode, Veracode has good interactive features and gives a clear understanding of what the vulnerabilities are, which error line of the vulnerability is on and what can be done. It gives interactive features, whereas this solution does not give a clear understanding of where or how to fix the problem.""Sometimes the response time is low because the handshake fails, and then you have to re-login and start again.""The virus code updates are not frequent enough.""The reporting contains too many false positives.""Deployment can be complicated.""We procured around 110 licenses for Web Application Scanning, but we have issues running concurrent scans. I don't currently have the option to trigger scans for all 100-plus websites. The default limit is around 10 conference scans. It's not very scalable, to be honest, because of the limitation that they put on concurrent scans."

More Qualys Web Application Scanning Cons →

Pricing and Cost Advice
  • "This solution is open source and free."
  • "We have used the freeware version. I believe Zap only has freeware."
  • More OWASP Zap Pricing and Cost Advice →

  • "The cost is $30,000 USD for one year to cover WAS (Web Application Security) and the VM (Virtual Machine) security in a company with 200 employees."
  • "We are on an annual license for the solution and the pricing could be more affordable."
  • "Qualys WAS' pricing is competitive."
  • More Qualys Web Application Scanning Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Application Security Testing (AST) solutions are best for your needs.
    621,548 professionals have used our research since 2012.
    Questions from the Community
    Top Answer:OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available with basic security vulnerabilities while Burp Suite Pro has it available with… more »
    Top Answer:The solution has tightened our security.
    Top Answer:We have used the freeware version. I believe Zap only has freeware.
    Top Answer:Qualys WAS' most valuable features are the navigation flow of the UI and the option for a different layer of security (identification and operation through email and mobile).
    Top Answer:Sometimes the response time is low because the handshake fails, and then you have to re-login and start again. In the next release, Qualys should include more integration with different applications… more »
    Ranking
    Views
    29,691
    Comparisons
    18,409
    Reviews
    9
    Average Words per Review
    509
    Rating
    7.1
    Views
    9,588
    Comparisons
    6,455
    Reviews
    6
    Average Words per Review
    460
    Rating
    7.7
    Comparisons
    Also Known As
    Qualys WAS
    Learn More
    Overview

    OWASP ZAP (Zed Attack Proxy) is a free, open-source web application security scanner that enables software developers and testers to perform penetration testing on their applications to discover vulnerabilities and prevent hostile attacks. To date, it is one of the most searched Open Web Application Security Project (OWASP) projects, and an international group of volunteers is maintaining it. This tool is both flexible and extensible and is intended to be used by users who are new to application security as well as expert testers. For the users' convenience, OWASP ZAP has versions for each major OS and Docker platform so as not to rely on any single OS.

    OWASP ZAP focuses on being the “middle man proxy,” as it is positioned between the user’s browser and the web application. In doing so, it will intercept and examine messages that are sent between a browser and a web application. If needed, it will adjust the contents and pass those packets on to their destination. As is the case in many corporate settings, if there is already another network proxy in use, ZAP can be configured to join that proxy. A variety of add-ons for further functionality is available on ZAP Marketplace.

    OWASP ZAP offers a range of security automation options, including:

    • Docker Packaged Scans: A ZAP automation scanner that provides a lot of flexibility and makes it easy for the user to get started with the tool.

    • Quick Start Command Line: A rapid and straightforward scanner that is suitable for a quick scan.

    • API and Daemon Mode: Through a comprehensive API, this mode gives the user complete control over ZAP.

    • Automation Framework: A state-of-the-art framework that is not tied to any current container technology. This framework will, in time, take over the Command Line and the Package Scan options.

    • GitHub Actions: The ability to use any associated and available GitHub package scan.

    Benefits of OWASP ZAP

    Some of OWASP ZAP’s benefits include:

    • The ability to run an automated scan. Once set up, ZAP will deploy two spiders to crawl the web application and subsequently scan each page it finds.

    • It interprets your results and sends an automated alert. After scanning the web application, all requests and responses sent to each page are recorded. If there is a potential problem, an alert is created and sent to the user.

    • An intuitive and innovative interface. The Heads Up Display (HUD) is a new feature that provides capabilities right in the browser. It is great for people new to web security and experienced testers alike.

    Reviews from Real Users

    OWASP ZAP stands out among its competitors for a number of reasons. Among them are the solution’s automatic scanning feature, its ease of use, its ability to report vulnerabilities, and its being a free open-source solution..

    PeerSpot user Piyush S., Technical Specialist (DevOps), notes that "Automatic scanning is a valuable feature and very easy to use. The initial setup is straightforward. The solution is free due to the fact that it is open-source. The product has a strong community surrounding it to help with issues and troubleshooting. The stability of the solution is very good."

    Raj K., Business Analyst at Experion Technologies, notes, “The valuable features are that it's very simple to use and the user interface is very good, particularly for beginners so they can start the application easily. It's enough to refer to an online tutorial to be able to start using this application. It's not very complex.”

    Balaji S., Assistant Vice President at Hexaware Technologies Limited, writes, “The solution is good at reporting the vulnerabilities of the application. It can help us with security, SQL injection vulnerability, known vulnerabilities, et cetera. Any kind of a threat that we get in the development cycle, is what we will look for. This solution helps us find them.

    Many users like how the solution has improved over the years. As Alan G., CEO at Virtual Security International, notes, "It has evolved over the years, and recently in the last year they have added HUD (Heads Up Display)."

    Qualys Web Application Scanning (WAS) is a fully cloud-based web application security scanner. The scanner will automatically crawl periodically and test web applications to discover potential vulnerabilities, including cross-site scripting (XSS) and SQL injection. The consistent testing equips the automated service to generate consistent results, lessen false positives, and offer the ability to scale to protect thousands of websites effortlessly.

    Qualys Web Application Scanning is bundled with different scanning technology to carefully scan websites for malware infections and will send notifications to website owners to assist in preventing blacklisting and brand reputation damage. As digital transformation takes place in various organizations, Qualys WAS gives organizations the ability to track and document their web app security status through its interactive reporting capabilities.

    Qualys WAS empowers organizations to remediate any web application vulnerabilities quickly. Some of the key tools offered are:

    • Deep Scanning: All apps and APIs on your internal network and public cloud are covered by Qualys WAS deep scanning to show you any visible vulnerabilities.

    • DevSec Ops Tool: Detect security issues in your code while still in app development stages and generate comprehensive reports.

    • Comprehensive Discovery: Discover and catalog new and unknown web apps in your network.

    • Malware Detection: Scan a website, identify vulnerabilities, and receive alerts to any infections.


    Benefits of Qualys Web Application Scanning

    Qualys Web Application Scanning offers many benefits, including:

    • Quick Deployment: Requires no infrastructure or software to upkeep.

    • Effortless Scalability: Effortlessly launch a deep scan and protect thousands of websites.

    • Centralized Management: Manage and mend all web app vulnerabilities through a single interface.

    • Excellent Integration Capabilities: Integrates with Qualys Web App Firewall (WAF) for a single-click virtual patching of found vulnerabilities.

    • Respond to Threats Immediately: Qualys Continuous Monitoring offers the user a hands-free service by automatically launching scanning and sending notifications of a potential threat.

    • Cost-effective Solution: Data is analyzed in real time as Qualys WAS is an end-to-end solution; this helps avoid costs associated with managing multiple security vendors.

    Reviews from Real Users

    Qualys Web Application Scanning stands out among its competitors for a variety of reasons. Two of those reasons are its progressive scan and quick detection of vulnerabilities.

    P.K., a senior software developer at a tech vendor, writes, "The feature that I have found most valuable is the progressive scan. It is good. It's done in 24 hours."

    Nagaraj S., lead cybersecurity engineer at a tech service company, notes, "I have found the detection of vulnerabilities tool thorough with good results and the graphical display output to be wonderful and full of colors. It allows many types of outputs, such as bar and chart previews."

    Offer
    Learn more about OWASP Zap
    Learn more about Qualys Web Application Scanning
    Sample Customers
    Information Not Available
    BskyB, Cartagena, ClearPoint Learning Systems, Connect Group, du, Fortrex Technologies, HBOR, HDI, Highlights for Children, The Lithuanian State Enterprise Centre of Registers, City of Miami Beach, Microsoft, MidlandHR, MSCI Inc., Northern Arizona University, Ofgem, Olympus Europa, PhoneFactor, RTL Nederland, ThousandEyes, VGZ Organisatie B.V.
    Top Industries
    REVIEWERS
    Computer Software Company33%
    Financial Services Firm17%
    Retailer8%
    Manufacturing Company8%
    VISITORS READING REVIEWS
    Computer Software Company26%
    Comms Service Provider25%
    Financial Services Firm6%
    Government6%
    REVIEWERS
    Financial Services Firm40%
    Comms Service Provider10%
    Computer Software Company10%
    Recruiting/Hr Firm10%
    VISITORS READING REVIEWS
    Computer Software Company26%
    Comms Service Provider14%
    Financial Services Firm10%
    Insurance Company6%
    Company Size
    REVIEWERS
    Small Business17%
    Midsize Enterprise29%
    Large Enterprise54%
    VISITORS READING REVIEWS
    Small Business19%
    Midsize Enterprise19%
    Large Enterprise63%
    REVIEWERS
    Small Business13%
    Midsize Enterprise13%
    Large Enterprise74%
    VISITORS READING REVIEWS
    Small Business19%
    Midsize Enterprise16%
    Large Enterprise65%
    Buyer's Guide
    OWASP Zap vs. Qualys Web Application Scanning
    July 2022
    Find out what your peers are saying about OWASP Zap vs. Qualys Web Application Scanning and other solutions. Updated: July 2022.
    621,548 professionals have used our research since 2012.

    OWASP Zap is ranked 6th in Application Security Testing (AST) with 9 reviews while Qualys Web Application Scanning is ranked 9th in Application Security Testing (AST) with 6 reviews. OWASP Zap is rated 7.2, while Qualys Web Application Scanning is rated 7.6. The top reviewer of OWASP Zap writes "Great at reporting vulnerabilities, helps with security, and reveals development threats well". On the other hand, the top reviewer of Qualys Web Application Scanning writes "Has a good progressive scan feature but the data server needs improvement". OWASP Zap is most compared with PortSwigger Burp Suite Professional, Veracode, Acunetix, Fortify WebInspect and Invicti, whereas Qualys Web Application Scanning is most compared with Tenable.io Web Application Scanning, Veracode, SonarQube, PortSwigger Burp Suite Professional and Fortify WebInspect. See our OWASP Zap vs. Qualys Web Application Scanning report.

    See our list of best Application Security Testing (AST) vendors.

    We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.