"Simple to use, good user interface."
"They offer free access to some other tools."
"The stability of the solution is very good."
"Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."
"The solution is scalable."
"Automatic scanning is a valuable feature and very easy to use."
"It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."
"It updates repositories and libraries quickly."
"It uses a signature-based method to check for problems with your code and will provide an alert if anything is found."
"The templates feature is very easy. You just choose the kind of attack you want on your web application, and you run it against that template and receive a report. It's great."
"It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."
"The documentation needs to be improved because I had to learn everything from watching YouTube videos."
"The forced browse has been incorporated into the program and it is resource-intensive."
"The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more."
"The solution is unable to customize reports."
"Reporting format has no output, is cluttered and very long."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"Too many false positives; test reports could be improved."
"In the future, if they can have integration with a lot of ticketing systems then it would be amazing."
"The interface should be a little bit easier to manage. Sometimes, the logic that they use is kind of strange. They need to work a little bit more on their interface to make it more understandable. The interface is the only problem. I'm using Rapid7, which is very intuitive. There are other applications available in the market with a better interface. They can include more techniques or options to test different types of security because the templates are limited. It would be great to see them follow the MITRE ATT&CK framework or what is there in tools like Veracode and Synopsys."
Earn 20 points
OWASP Zap is ranked 6th in Application Security Testing (AST) with 10 reviews while Rapid7 InsightAppSec is ranked unranked in Application Security Testing (AST) with 2 reviews. OWASP Zap is rated 7.0, while Rapid7 InsightAppSec is rated 9.6. The top reviewer of OWASP Zap writes "Great at reporting vulnerabilities, helps with security, and reveals development threats well". On the other hand, the top reviewer of Rapid7 InsightAppSec writes "Easy to use, amazing technical support, and it provides alerts when problems in code are identified". OWASP Zap is most compared with PortSwigger Burp Suite Professional, Veracode, Acunetix, Qualys Web Application Scanning and Contrast Security Assess, whereas Rapid7 InsightAppSec is most compared with Rapid7 AppSpider, PortSwigger Burp Suite Professional, Veracode, Invicti and HCL AppScan. See our OWASP Zap vs. Rapid7 InsightAppSec report.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.