OWASP Zap vs Qualys Web Application Scanning vs Veracode comparison

Qualys Web Application Scan...

Read 207 Veracode reviews

23,090 Views
13,161 Comparison Views

89% willing to recommend

OWASP Zap

Comparison Buyer's Guide

Download the report

Executive Summary

We performed a comparison between OWASP Zap, Qualys Web Application Scanning, and Veracode based on real PeerSpot user reviews.

Find out what your peers are saying about SonarSource Sàrl, Checkmarx, Veracode and others in Static Application Security Testing (SAST).

To learn more, read our detailed Static Application Security Testing (SAST) Report (Updated: April 2026).

Static Application Security Testing (SAST)

Download the complete report

Helped 892,383 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Mindshare comparison

As of May 2026, in the Static Application Security Testing (SAST) category, the mindshare of OWASP Zap is 3.1%, down from 5.1% compared to the previous year. The mindshare of Qualys Web Application Scanning is 1.9%, down from 2.3% compared to the previous year. The mindshare of Veracode is 4.9%, down from 9.2% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Static Application Security Testing (SAST) Mindshare Distribution
Product	Mindshare (%)
Veracode	4.9%
Qualys Web Application Scanning	1.9%
OWASP Zap	3.1%
Other	90.1%

Static Application Security Testing (SAST)

Featured Reviews

Nithin-K

Technical Analyst at Hexaware Technologies Limited

Open source testing tool empowers manual activities and has room to improve integration and reporting features

The improvement that has to be done for APIs focuses on manual activities where the feature exists, but it is not at the same level as what Burp Suite does with intercepting and tools such as Postman, so it needs improvement. There are limitations with authentication levels, particularly with form-based and cookie-based authentication. However, overall, we are satisfied with OWASP Zap as there are no major issues, and improving the scan engine could be beneficial. When comparing OWASP Zap and Burp Suite, the main difference besides pricing is that OWASP Zap has limitations with reporting levels and UI, which affects its reporting capabilities, whereas Burp Suite is already advancing with new AI features and scanning capabilities that OWASP Zap seems to be lacking.

Read full review

AnkitSharma13

Security Officer at a tech vendor with 10,001+ employees

Web scanning needs improvement but offers good vulnerability detection

The downside of Qualys Web Application Scanning is that it cannot crawl automatically. If I provide an IP address and a login form, it does basic testing, but it doesn't go deep as IBM AppScan does. If Qualys Web Application Scanning could improve its crawling capability, it would be more user-friendly. Qualys Web Application Scanning does IP-level testing, requiring direct input of credentials, and can only scan a few pages to provide known generic vulnerabilities, which isn't as beneficial from my point of view. The Vulnerability Management also relies heavily on version numbers and will flag vulnerabilities based on the component version, but it doesn't check if a real fix exists, leading to flags on components that actually have workarounds available.

Read full review

reviewer2703864

Head of Security Architecture at a healthcare company with 5,001-10,000 employees

Onboarding developers successfully while improving code security through IDE integration

Regarding room for improvement, we have some problems when onboarding new projects because the build process has to be done in a certain way, as Veracode analyzes the binaries and not the code by itself alone. If the process is not configured correctly, it doesn't work. That's one of the things that we are discussing with Veracode. Something positive that we've been able to do is submit formal feature requests to them, and they are working on them; they've already solved some of them. This encourages us to propose new ideas and improvements. Another improvement that we asked for this use case is to be able to configure how Veracode Fix proposes and fixes because sometimes it makes proposals using libraries that go against our architecture design made by the enterprise architecture team. For example, we want them to propose using another library, and that's something we already asked Veracode, and they are working on it. We want to specify when you see this kind of vulnerability, you can only propose these two options.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"The pull request analysis is also very good."

"OWASP is definitely in the top three as a tool that we would probably recommend to our team, as a frequent users' tool, however, I don't believe we have any kind of a formal relationship with the company."

"OWASP is quite matured in identifying the vulnerabilities."

"The solution has tightened our security and that of our clients who depend on it."

"You can run it against multiple targets."

"The solution is good at reporting the vulnerabilities of the application."

"The scalability of this product is very good."

"Fuzzer and Java APIs help a lot with our custom needs."

More OWASP Zap pros

"QualysGuard web-based scanner is very useful for performing external penetration and PCI scans from remote locations."

"WAS gave us visibility into our externally exposed web applications and showed us vulnerabilities that we were not aware of and did not know how to test for."

"The Qualys Web Application Scanning solution offers a single comprehensive console and consolidated reporting, covering all aspects from on-prem to cloud and compliance, etcetera."

"Qualys Web Application Scanning is robust and mature from industry standards."

"Technical support is very good whenever we send them a message."

"The features of Qualys Web Application Scanning are impressive as the scan is faster and gets completed quickly, the dashboards look great, the option for scheduled scans makes it fully automated, and customizable reports can be downloaded anytime in CSV, PDF, or whichever format required."

"Qualys Web Application Scanning is very stable and reliable."

More Qualys Web Application Scanning pros

"The reporting being highly accurate is pretty cool. I use another product and I was always looking for answers as to what line, which part of the code, was wrong, and what to do about it. Veracode seems to have a solid database to look things up and a website to look things up."

"Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence."

"To me, the principal feature is the CLI (command-line interface) because I put together a lot of implementations using it. Another important aspect is the low false-positive rate because the solution is very configurable. It is as low as 1 percent and that is a huge difference compared to competitors."

"The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the DAST are reviewed by the developers and we have internal processes in place to correct those findings before there can be a release. So it absolutely does prevent us from releasing weak code."

"The time savings has been tremendous."

"Vulnerability Management and mitigation recommendations help with resolution of issues found, prior to deployment to production."

"It scans for the OWASP top-10 security flaws at the dynamic level and, at the static level, it scans for all the warnings so that developers can fix the code before we go to UAT or the next phase."

"When we expanded our definition of critical systems to include an internal application to be scanned by Veracode, we had initial scans that produced hundreds of vulnerabilities. We expected this, based on how the code was treated previously, but the Veracode platform allowed us to streamline our identification of these items and develop a game plan to quickly address them."

More Veracode pros

Cons

"The product should allow users to customize the report based on their needs."

"If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning."

"If there was an easier way to understand exactly what has been checked and what has not been checked, it would make this solution better."

"The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time."

"The product reporting could be improved."

"The forced browse has been incorporated into the program and it is resource-intensive."

"I would recommend this product to people although I think it is very difficult to deploy and we also have issues with maintenance."

"We get too many false positives and that should definitely be improved."

More OWASP Zap cons

"There should be better visibility into the application."

"It should have better automatic reporting."

"It's missing some zero-day patches."

"The GUI could be a little less complicated as it opens a lot of new windows for creating search lists, templates, reports, or for scanning purposes."

"I would like it to be cheaper because it is a bit expensive compared to competitors like Tenable Nessus."

"The tool should have a live HTTP editor and more configuration options for some situations, such as handling applications that have URL rewriting enabled."

"There could be better management and faster scanning."

More Qualys Web Application Scanning cons

"The scans were sometimes not accurate in version 2022. There were some false positives in the vulnerability reports. We used to get false positives, and we were responsible for checking all of the alerts and determining whether they were true positives or false positives. They might have already improved it. If they have not, they can look into how to mitigate false positives."

"Veracode needs to improve its integration with other tools."

"In the next release, I would like a proper way of packaging files for scanning and the packing of IOS apps and API Dynamic scan methodology."

"It's taking too much time to do a quality scan."

"I would ask Veracode to be a lot more engaged with the customer and set up live sessions where they force the customer to engage with Veracode's technical team. Veracode could show them a repo, how they should do things, this is what these results mean, here is a dashboard, here's the interpretation, here's where you find the results."

"Their platform is not consistent. It needs a lot of user experience updates. It's slow performing, and they log you out of the system every 15 minutes, so using the platform is challenging from a developer's perspective because you always have to log in."

"Veracode would benefit greatly from more training resources. The videos are great, but I would like more hands-on training writing a script, validating a script with a unit test in a different language, etc. That's something that would be very valuable."

"Veracode does not support scans for .NET Blazor server applications."

More Veracode cons

Pricing and Cost Advice

"This solution is open source and free."

"It's free. It's good for us because we don't know what the extent of our use will be yet. It's good to start with something free and easy to use."

"OWASP Zap is free to use."

"OWASP ZAP is a free tool provided by OWASP’s engineers and experts. There is an option to donate."

"We have used the freeware version. I believe Zap only has freeware."

"It's free and open, currently under the Apache 2 license. If ZAP does what you need it to do, selling a free solution is a very easy."

"This app is completely free and open source. So there is no question about any pricing."

"This is an open-source solution and can be used free of charge."

More OWASP Zap pricing and cost advice

"Qualys WAS' pricing is competitive."

"It is best to be an institutional buyer and directly contact the sales team, as they can provide over-the-top discounts for bulk orders."

"I rate the software’s pricing a six out of ten."

"Qualys Web Application Scanning's pricing is a bit expensive compared to other solutions available in the market."

"There are different options available with respect to licensing."

"Qualys has an IT-based licensing based on a yearly license, which is a good way of handling it. However, in some cases, when we do the PCI scanning, the host will not like the scanning and we lose the IT license. So, this could be improved."

"From my perspective, it is a budget-friendly option."

"Try the free trial of the product to understand the basic working mechanisms."

More Qualys Web Application Scanning pricing and cost advice

"Veracode has been fair. We use their SaaS solution and it's just an annual subscription."

"The pricing and licensing are reasonable, and relatively straightforward, and different licensing and subscription models are available."

"If you're licensing, and you're looking at licensing models, you might want to ask Veracode about their microservice, depending on the company. If you are a microservice architecture, I would suggest asking them about their microservice pricing. I would suggest that you evaluate that with your code and their other licensing model, which is like a lump sum in size of artifacts, and just make sure that you price that out with them, because there might be some tradeoffs that can be made in price."

"When I looked at the pricing, it was definitely a value. In terms of the service and what it's checking, the cost was very reasonable, particularly because we could have multiple code bases as part of a project."

"Pricing seems fair for what is offered, and licensing has been no problem. All developers are able to get the access they need."

"Depending on the number of users, my company makes payments toward the solution's licensing costs."

"I wouldn't really recommend Veracode for a small firm, because it might be a little pricey for them. But for a large organization, with more than 1,000 applications in the enterprise, there are tiered levels of pricing."

"The Veracode price model is based on application profiles, which is how you package your components for scanning."

More Veracode pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.

See recommendations

892,383 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Computer Software Company

11%

Financial Services Firm

University

Manufacturing Company

Financial Services Firm

13%

Manufacturing Company

12%

Computer Software Company

Comms Service Provider

Financial Services Firm

16%

Computer Software Company

11%

Manufacturing Company

11%

Government

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

By reviewers
Company Size	Count
Small Business	11
Midsize Enterprise	11
Large Enterprise	21

By reviewers
Company Size	Count
Small Business	8
Midsize Enterprise	6
Large Enterprise	27

By reviewers
Company Size	Count
Small Business	69
Midsize Enterprise	45
Large Enterprise	114

Questions from the Community

Is OWASP Zap better than PortSwigger Burp Suite Pro?

OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available...

What is your experience regarding pricing and costs for OWASP Zap?

OWASP might be cost-effective, however, people prefer to use the free edition available as open source.

What needs improvement with OWASP Zap?

The improvement that has to be done for APIs focuses on manual activities where the feature exists, but it is not at ...

What is your experience regarding pricing and costs for Qualys Web Application Scanning?

Regarding pricing, I think for personal use, it is costly, but if organizations are ready to pay, then it is fine as ...

What needs improvement with Qualys Web Application Scanning?

The downside of Qualys Web Application Scanning is that it cannot crawl automatically. If I provide an IP address and...

What is your primary use case for Qualys Web Application Scanning?

I use Qualys Web Application Scanning, and we are using Vulnerability Management. By Vulnerability Management, I mean...

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. Son...

What do you like most about Veracode Static Analysis?

I like its integration with GitHub. I like using it from GitHub. I can use the GitHub URL and find out the vulnerabil...

What is your experience regarding pricing and costs for Veracode Static Analysis?

My experience with pricing, setup cost, and licensing for Veracode is that it is fairly moderate.

PortSwigger Burp Suite Professional vs OWASP Zap

Comparisons

Acunetix vs OWASP Zap

Compared 12% of the time

SonarQube vs OWASP Zap

Compared 10% of the time

Compared 9% of the time

Checkmarx One vs OWASP Zap

Compared 7% of the time

Snyk vs OWASP Zap

Compared 5% of the time

More OWASP Zap Competitors

Checkmarx SAST vs Qualys Web Application Scanning

Compared 7% of the time

SonarQube vs Qualys Web Application Scanning

Compared 6% of the time

PortSwigger Burp Suite Professional vs Qualys Web Application Scanning

Compared 6% of the time

Acunetix vs Qualys Web Application Scanning

Compared 4% of the time

Q-mast vs Qualys Web Application Scanning

Compared 4% of the time

More Qualys Web Application Scanning Competitors

SonarQube vs Veracode

Compared 7% of the time

Checkmarx One vs Veracode

Compared 6% of the time

HCL AppScan vs Veracode

Compared 3% of the time

GitHub Advanced Security vs Veracode

Compared 3% of the time

Coverity Static vs Veracode

Compared 3% of the time

More Veracode Competitors

Product Reports

OWASP Zap

Download OWASP Zap product report

Qualys Web Application Scanning

Download Qualys Web Application Scanning product report

Download Veracode product report

Also Known As

No data available

Qualys WAS

Crashtest Security , Veracode Detect

Overview

OWASP Zap is a free and open-source web application security scanner.

The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues.

With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.

OWASP

Qualys Web Application Scanning offers advanced vulnerability management, progressive scheduling, and seamless integration with DevOps environments. Its user-friendly design enables enterprises to enhance security with comprehensive scanning and detailed forensic insights.

Qualys Web Application Scanning addresses enterprise-level security challenges by providing robust solutions for vulnerability management, penetration testing, and compliance checks. While easing the navigation process, it supports risk mitigation with precise risk ratings, minimal false positives, and detailed reporting. However, it faces challenges with its complex interface, authenticated scanning, and automation features. Integrating smoothly with CI/CD pipelines, it is suitable for continuous and automated scanning, adapting to diverse company requirements.

What are the standout features of Qualys Web Application Scanning?

Progressive Scheduling: Enables efficient management of scanning activities, optimizing for time-sensitive scenarios.
Vulnerability Management: Offers robust identification and management of vulnerabilities across various applications.
Integration with DevOps: Seamlessly integrates with CI/CD pipelines, supporting rapid development cycles.
Risk Ratings: Provides precise risk assessments, crucial for prioritizing security efforts.
Engaging Dashboard: Offers an intuitive interface for navigating security tasks efficiently.

What benefits or ROI should users look for in Qualys Web Application Scanning reviews?

Scalability: Supports enterprise needs with a design adaptable to diverse security demands.
Risk Mitigation: Detailed alerts and forensic insights aid in reducing potential threats.
Comprehensive Reporting: Facilitates informed decision-making with clear, concise reports.
Penetration Testing: Enhances security assessments with ongoing evaluation capabilities.

Organizations across sectors like education, banking, and international data centers leverage Qualys Web Application Scanning for conducting penetration testing, scanning web applications, and managing vulnerabilities. It aids in audit security and compliance, identifying threats, and generating user-friendly reports, making it a valuable asset for maintaining strong security postures.

Qualys

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
Scalability - Supports organizations with large-scale application portfolios.
Compliance support - Ensures applications meet various security standards and regulations.
Developer training - Provides tools for educating developers on secure coding practices.
Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.

Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Sample Customers

1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS

BskyB, Cartagena, ClearPoint Learning Systems, Connect Group, du, Fortrex Technologies, HBOR, HDI, Highlights for Children, The Lithuanian State Enterprise Centre of Registers, City of Miami Beach, Microsoft, MidlandHR, MSCI Inc., Northern Arizona University, Ofgem, Olympus Europa, PhoneFactor, RTL Nederland, ThousandEyes, VGZ Organisatie B.V.

Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.

Static Application Security Testing (SAST)