IT Central Station is now PeerSpot: Here's why

OWASP Zap vs Rapid7 InsightAppSec comparison

Cancel
You must select at least 2 products to compare!
Featured Review
Buyer's Guide
OWASP Zap vs. Rapid7 InsightAppSec
May 2022
Find out what your peers are saying about OWASP Zap vs. Rapid7 InsightAppSec and other solutions. Updated: May 2022.
607,332 professionals have used our research since 2012.
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"Simple to use, good user interface.""They offer free access to some other tools.""The stability of the solution is very good.""Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope.""The solution is scalable.""Automatic scanning is a valuable feature and very easy to use.""It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).""It updates repositories and libraries quickly."

More OWASP Zap Pros →

"It uses a signature-based method to check for problems with your code and will provide an alert if anything is found.""The templates feature is very easy. You just choose the kind of attack you want on your web application, and you run it against that template and receive a report. It's great."

More Rapid7 InsightAppSec Pros →

Cons
"It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful.""The documentation needs to be improved because I had to learn everything from watching YouTube videos.""The forced browse has been incorporated into the program and it is resource-intensive.""The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more.""The solution is unable to customize reports.""Reporting format has no output, is cluttered and very long.""Zap could improve by providing better reports for security and recommendations for the vulnerabilities.""Too many false positives; test reports could be improved."

More OWASP Zap Cons →

"In the future, if they can have integration with a lot of ticketing systems then it would be amazing.""The interface should be a little bit easier to manage. Sometimes, the logic that they use is kind of strange. They need to work a little bit more on their interface to make it more understandable. The interface is the only problem. I'm using Rapid7, which is very intuitive. There are other applications available in the market with a better interface. They can include more techniques or options to test different types of security because the templates are limited. It would be great to see them follow the MITRE ATT&CK framework or what is there in tools like Veracode and Synopsys."

More Rapid7 InsightAppSec Cons →

Pricing and Cost Advice
  • "This is an open-source solution and can be used free of charge."
  • "This solution is open source and free."
  • "We have used the freeware version. I believe Zap only has freeware."
  • More OWASP Zap Pricing and Cost Advice →

  • "The price of this product is very cheap."
  • More Rapid7 InsightAppSec Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Application Security Testing (AST) solutions are best for your needs.
    607,332 professionals have used our research since 2012.
    Questions from the Community
    Top Answer:OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available with basic security vulnerabilities while Burp Suite Pro has it available with… more »
    Top Answer:Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is… more »
    Top Answer:We have used the freeware version. I believe Zap only has freeware.
    Ask a question

    Earn 20 points

    Ranking
    Views
    29,857
    Comparisons
    18,842
    Reviews
    10
    Average Words per Review
    471
    Rating
    7.0
    Unranked
    In Application Security Testing (AST)
    Comparisons
    Also Known As
    InsightAppSec
    Learn More
    Overview

    OWASP ZAP (Zed Attack Proxy) is a free, open-source web application security scanner that enables software developers and testers to perform penetration testing on their applications to discover vulnerabilities and prevent hostile attacks. To date, it is one of the most searched Open Web Application Security Project (OWASP) projects, and an international group of volunteers is maintaining it. This tool is both flexible and extensible and is intended to be used by users who are new to application security as well as expert testers. For the users' convenience, OWASP ZAP has versions for each major OS and Docker platform so as not to rely on any single OS.

    OWASP ZAP focuses on being the “middle man proxy,” as it is positioned between the user’s browser and the web application. In doing so, it will intercept and examine messages that are sent between a browser and a web application. If needed, it will adjust the contents and pass those packets on to their destination. As is the case in many corporate settings, if there is already another network proxy in use, ZAP can be configured to join that proxy. A variety of add-ons for further functionality is available on ZAP Marketplace.

    OWASP ZAP offers a range of security automation options, including:

    • Docker Packaged Scans: A ZAP automation scanner that provides a lot of flexibility and makes it easy for the user to get started with the tool.

    • Quick Start Command Line: A rapid and straightforward scanner that is suitable for a quick scan.

    • API and Daemon Mode: Through a comprehensive API, this mode gives the user complete control over ZAP.

    • Automation Framework: A state-of-the-art framework that is not tied to any current container technology. This framework will, in time, take over the Command Line and the Package Scan options.

    • GitHub Actions: The ability to use any associated and available GitHub package scan.

    Benefits of OWASP ZAP

    Some of OWASP ZAP’s benefits include:

    • The ability to run an automated scan. Once set up, ZAP will deploy two spiders to crawl the web application and subsequently scan each page it finds.

    • It interprets your results and sends an automated alert. After scanning the web application, all requests and responses sent to each page are recorded. If there is a potential problem, an alert is created and sent to the user.

    • An intuitive and innovative interface. The Heads Up Display (HUD) is a new feature that provides capabilities right in the browser. It is great for people new to web security and experienced testers alike.

    Reviews from Real Users

    OWASP ZAP stands out among its competitors for a number of reasons. Among them are the solution’s automatic scanning feature, its ease of use, its ability to report vulnerabilities, and its being a free open-source solution..

    PeerSpot user Piyush S., Technical Specialist (DevOps), notes that "Automatic scanning is a valuable feature and very easy to use. The initial setup is straightforward. The solution is free due to the fact that it is open-source. The product has a strong community surrounding it to help with issues and troubleshooting. The stability of the solution is very good."

    Raj K., Business Analyst at Experion Technologies, notes, “The valuable features are that it's very simple to use and the user interface is very good, particularly for beginners so they can start the application easily. It's enough to refer to an online tutorial to be able to start using this application. It's not very complex.”

    Balaji S., Assistant Vice President at Hexaware Technologies Limited, writes, “The solution is good at reporting the vulnerabilities of the application. It can help us with security, SQL injection vulnerability, known vulnerabilities, et cetera. Any kind of a threat that we get in the development cycle, is what we will look for. This solution helps us find them.

    Many users like how the solution has improved over the years. As Alan G., CEO at Virtual Security International, notes, "It has evolved over the years, and recently in the last year they have added HUD (Heads Up Display)."

    Your web applications may be complex, but your application security testing tool doesn’t need to be. InsightAppSec brings Rapid7’s proven Dynamic Application Security Testing (DAST) technology to the Insight platform, combining powerful application crawling and attack capabilities, flexibility in scan scope and scheduling, and accuracy in results with a modern UI, intuitive workflows, and sensible data organization. This enables you to identify XSS, SQL injection, CSRF, and other vulnerabilities with unparalleled ease. The best part? All of these capabilities are delivered via the cloud so that you’re up and running in minutes to identify the critical security risks that exist in your applications.

    Offer
    Learn more about OWASP Zap
    Learn more about Rapid7 InsightAppSec
    Sample Customers
    Information Not Available
    CenterPoint Energy, CPA Australia, Hypertherm, First American Financial Corporation, Rackspace
    Top Industries
    REVIEWERS
    Computer Software Company33%
    Financial Services Firm17%
    Retailer8%
    Manufacturing Company8%
    VISITORS READING REVIEWS
    Computer Software Company28%
    Comms Service Provider24%
    Government6%
    Financial Services Firm6%
    VISITORS READING REVIEWS
    Computer Software Company27%
    Comms Service Provider16%
    Retailer7%
    Financial Services Firm6%
    Company Size
    REVIEWERS
    Small Business17%
    Midsize Enterprise29%
    Large Enterprise54%
    VISITORS READING REVIEWS
    Small Business19%
    Midsize Enterprise19%
    Large Enterprise62%
    VISITORS READING REVIEWS
    Small Business19%
    Midsize Enterprise19%
    Large Enterprise62%
    Buyer's Guide
    OWASP Zap vs. Rapid7 InsightAppSec
    May 2022
    Find out what your peers are saying about OWASP Zap vs. Rapid7 InsightAppSec and other solutions. Updated: May 2022.
    607,332 professionals have used our research since 2012.

    OWASP Zap is ranked 6th in Application Security Testing (AST) with 10 reviews while Rapid7 InsightAppSec is ranked unranked in Application Security Testing (AST) with 2 reviews. OWASP Zap is rated 7.0, while Rapid7 InsightAppSec is rated 9.6. The top reviewer of OWASP Zap writes "Great at reporting vulnerabilities, helps with security, and reveals development threats well". On the other hand, the top reviewer of Rapid7 InsightAppSec writes "Easy to use, amazing technical support, and it provides alerts when problems in code are identified". OWASP Zap is most compared with PortSwigger Burp Suite Professional, Veracode, Acunetix, Qualys Web Application Scanning and Contrast Security Assess, whereas Rapid7 InsightAppSec is most compared with Rapid7 AppSpider, PortSwigger Burp Suite Professional, Veracode, Invicti and HCL AppScan. See our OWASP Zap vs. Rapid7 InsightAppSec report.

    We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.