OWASP Zap vs Veracode comparison

Read 203 Veracode reviews

20,179 Views
14,125 Comparison Views

90% willing to recommend

OWASP Zap

Comparison Buyer's Guide

Download the report

Executive SummaryUpdated on Jul 27, 2025

Veracode and OWASP Zap compete in the application security testing market. Veracode often has the upper hand due to its robust remediation tools and language support, despite OWASP Zap being a cost-effective option with strong community features.

Features: Veracode includes extensive static and dynamic scanning capabilities integrated into the software development lifecycle, multiple programming language support, and robust remediation tools. OWASP Zap offers features like intercepting proxy, automated scanning, and flexibility through community-driven enhancements.

Room for Improvement: Veracode users experience issues with false positives, cumbersome API integrations, and high costs. OWASP Zap could benefit from improved documentation, better integration capabilities, and enhanced reporting features.

Ease of Deployment and Customer Service: Veracode's cloud-based platform provides flexible deployment, suited for hybrid environments with generally strong customer service. OWASP Zap, being on-premises, suits traditional security architectures with community-focused support.

Pricing and ROI: Veracode's pricing is high, reflecting its extensive features and security assurance benefits, though it promises good ROI through reduced vulnerability risks. OWASP Zap is an open-source, cost-effective alternative, with zero licensing costs but potentially higher investments for advanced needs.

To learn more, read our detailed OWASP Zap vs. Veracode Report (Updated: July 2025).

Download the complete report

OWASP Zap vs. Veracode

July 2025

Helped 865,649 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Categories and Ranking

OWASP Zap

Ranking in Static Application Security Testing (SAST)

11th

Average Rating

7.6

Reviews Sentiment

7.3

Number of Reviews

Ranking in other categories

No ranking in other categories

Veracode

Ranking in Static Application Security Testing (SAST)

2nd

Average Rating

8.0

Reviews Sentiment

7.0

Number of Reviews

203

Ranking in other categories

Application Security Tools (2nd), Container Security (8th), Software Composition Analysis (SCA) (3rd), Static Code Analysis (1st), Application Security Posture Management (ASPM) (2nd)

Mindshare comparison

As of August 2025, in the Static Application Security Testing (SAST) category, the mindshare of OWASP Zap is 4.7%, up from 4.7% compared to the previous year. The mindshare of Veracode is 7.8%, down from 10.2% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Static Application Security Testing (SAST)

Featured Reviews

Amit Beniwal

Project Manager at Al Hassan LLC

Simplifies vulnerability discovery and has high quality support

There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores. Sometimes, a vulnerability initially categorized as high severity may be reduced to medium or low over time after security patches are applied. This alignment with the present severity score and CVSS score could be improved.

Read full review

Sajal Sharma

Test Analyst - Security at Net solutions India Pvt.

Offers shift-left security strategy and helps us with the latest security configurations, OWASP standards, and SAST standards

It's robustness is the main benefit to the organization. As it gets upgraded with time, it also improves the coverage – security configuration coverages and vulnerability coverages. It also updates itself with the latest known vulnerabilities that are uploaded to the NVD, OWASP, or other databases. So it gets upgraded itself with that. And so with each upgrade, it gets better and better. The solution offers the ability to prevent vulnerable code from going into production. It provides us with a report containing multiple remediations and mitigations for each vulnerability. For example, if it finds a cross-site scripting vulnerability, it will also include references like CWE and CVE records, instructions on how to fix it, and the specific line of code or module where the vulnerability is present. This helps us fix the issues accordingly. I'm a penetration tester and DevSecOps engineer. I evaluate the findings, mark false positives, and manually exploit vulnerabilities if they exist. If we need further clarification, we raise a ticket with the Veracode team and get consultancy from them. We are a software development team. If we find a vulnerability, I exploit it and come back with the best possible mitigation, and the dev team fixes it. If we use Veracode Fix, it might use third-party implementations or make changes we aren't aware of. We need to be very aware of what our application is using internally. It should be known to us. As per my experience, the solution's policy reporting ensures compliance with industry standards. It comes with multiple features. I get the most out of it, and it's good. The solution provides visibility into application status at every phase of development. Like static analysis, dynamic analysis, software composition, and manual penetration tests - throughout the SDLC We have a pipeline that I maintain. I use the Veracode API account and have integrated it with AWS and our Jenkins pipeline. We use Snyk for SCA and Veracode for SAST scanning. At the earliest stage of the build, the SAST scan runs along with the JS and PHP files. It provides us with reports, which are then handed over to the other tools we depend on. If I validate the report or check the Veracode dashboard and find vulnerabilities, I mark them as false positives or existing issues. We work on multiple projects, but the one I'm handling these days only uses Veracode for SAST. It's been about one and a half years since I've been working with Veracode and this project. It is quite impressive. There are some things Veracode cannot find, like code obfuscations inside the code and some insecure randoms. Sometimes, it misses those flaws. But overall, if I compare it with other tools, it is better. I will definitely recommend others to use this tool. We run the scan before each deployment. If the dev team builds a new module or something, we scan it along with all the files. If we find anything, we get it fixed. That's how it works. Veracode is quite important to the organization's shift-left security strategy because we make a scan for each deployment. Sometimes, if I think we need to perform a shift-left, I just make a scan before deployment and check for any misconfiguration or vulnerability in the code.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"The solution is scalable."

"The most valuable feature is scanning the URL to drill down all the different sites."

"The community edition updates services regularly. They add new vulnerabilities into the scanning list."

"The stability of the solution is very good."

"It can be used effectively for internal auditing."

"OWASP Zap is a good tool, one of my favorites for a long time, and I would recommend it."

"You can run it against multiple targets."

"It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."

More OWASP Zap pros

"Veracode's technical support is great. They assigned us a TAM and once a week, we have a brief engagement with the TAM to verify that everything's going well. If we have any outstanding issues, they get serviced and addressed."

"It is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage."

"Veracode supports a broad range of code technologies, and it can analyze large applications. Fortify takes a long time and may not be able to generate the report for larger applications. We don't have these constraints with Veracode."

"I like the static scanning, and Veracode's interface is excellent. The dashboard is easy to navigate."

"We have found the static analysis to be useful in Veracode Static Analysis. However, we are in the process of testing."

"When we expanded our definition of critical systems to include an internal application to be scanned by Veracode, we had initial scans that produced hundreds of vulnerabilities. We expected this, based on how the code was treated previously, but the Veracode platform allowed us to streamline our identification of these items and develop a game plan to quickly address them."

"The best features in Veracode include static analysis and the early detection of vulnerable libraries; it integrates with tools such as Jenkins."

"Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence."

More Veracode pros

Cons

"It would be a great improvement if they could include a marketplace to add extra features to the tool."

"ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline."

"They stopped their support for a short period. They've recently started to come back again. In the early days, support was much better."

"I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help."

"The forced browse has been incorporated into the program and it is resource-intensive."

"OWASP Zap could benefit from a noise cancellation feature like that of Burp Suite Professional, where AI helps reduce certain non-critical findings."

"The technical support team must be proactive."

"The documentation is lacking and out-of-date, it really needs more love."

More OWASP Zap cons

"If you schedule two parallel scans under the same project, one of them will be a failure."

"One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications."

"It would be nice if Veracode were bundled with some preferred vendors like Salesforce and offered at a discount."

"I would also like to see some improvement in the speed. That is really the only complaint, but in all reality we have a massive Java application that needs to be scanned. Our developers are saying, "It takes 72 hours to scan it." That is probably the nature of the beast, and I'm actually pretty accepting of that time frame, but since it's a complaint that I get, faster is always better. I don't necessarily think that the speed is bad as it is, just that faster would be better."

"Their platform is not consistent. It needs a lot of user experience updates. It's slow performing, and they log you out of the system every 15 minutes, so using the platform is challenging from a developer's perspective because you always have to log in."

"From the usability perspective, it is not up to date with the latest trends. It looks very old. Tools such as Datadog, New Relic, or infrastructure security tools, such as AWS Cloud, seem very user-friendly. They are completely web-based, and you can navigate through them pretty quickly, whereas Veracode is very rigid. It is like an old-school enterprise application. It does the job, but they need to invest a little more on the usability front."

"Raw file scans and dynamic scans would be an improvement, instead of dealing with code binaries."

"Scanning large amounts of code can be a time-consuming process and there is scope for improvement."

More Veracode cons

Pricing and Cost Advice

"We have used the freeware version. I believe Zap only has freeware."

"It's free and open, currently under the Apache 2 license. If ZAP does what you need it to do, selling a free solution is a very easy."

"The tool is open-source."

"OWASP Zap is free to use."

"As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out."

"OWASP ZAP is a free tool provided by OWASP’s engineers and experts. There is an option to donate."

"It is open source, and we can scan freely."

"This solution is open source and free."

More OWASP Zap pricing and cost advice

"It is expensive. It depends on the use case, but it is very hard to find a pricing page on their website. Instead, they need to analyze your use case, but without knowing the entire project and how you're going to be using Veracode, how many scans you're going to do, if yours is a small business, it is very expensive and it affects ROI."

"I think licensing needs to be changed or updated so that it works with adjustments. Pricing is expensive compared to the amount of scanning we perform."

"I know that Veracode is a semi-pricey solution. If you are serious about security, I would recommend that you use an open-source option to learn how the scanning process works and then look into Veracode if you want to really step up your game and have an all-in-one solution."

"The licensing and prices were upfront and clear. They stand behind everything that is said during the commercial phase and during the onboarding phase. Even the most irrelevant "that can be done" was delivered, no matter how important the request was."

"Regarding licensing, pay very close attention to what applications you're going to need to do dynamic scanning for, versus static. Right now, the way the licensing is set up, if you don't have any static elements for a website, you can certainly avoid some costs by doing more dynamic licenses. You need to pay very close attention to that, because if you find out later that you have static code elements - like Java scripts, etc. - that you want to have scanned statically, having the two licenses bundled together will actually save you money."

"The worst part about the product is that it does not scale at all. Also, microservices apps will cost you a fortune."

"For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization."

"I found Veracode very expensive, though I'm not the person paying for it. I was surprised to find out how much the subscription costs and that the executive board approved it, but it was a no-brainer because now my company has better security scans."

More Veracode pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.

See recommendations

865,649 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Computer Software Company

17%

Financial Services Firm

11%

Manufacturing Company

University

Financial Services Firm

16%

Computer Software Company

16%

Manufacturing Company

Insurance Company

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

Questions from the Community

Is OWASP Zap better than PortSwigger Burp Suite Pro?

OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available with basic security vulnerabilities while Burp Suite Pro has it available with ...

What do you like most about OWASP Zap?

The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, i...

What is your experience regarding pricing and costs for OWASP Zap?

OWASP might be cost-effective, however, people prefer to use the free edition available as open source.

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...

What do you like most about Veracode?

The SAST and DAST modules are great.

What is your experience regarding pricing and costs for Veracode?

The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.

SonarQube Server (formerly SonarQube) vs OWASP Zap

Comparisons

Compared 19% of the time

Acunetix vs OWASP Zap

Compared 14% of the time

Checkmarx One vs OWASP Zap

Compared 11% of the time

Qualys Web Application Scanning vs OWASP Zap

Compared 9% of the time

PortSwigger Burp Suite Professional vs OWASP Zap

Compared 5% of the time

More OWASP Zap Competitors

SonarQube Server (formerly SonarQube) vs Veracode

Compared 17% of the time

Checkmarx One vs Veracode

Compared 9% of the time

GitHub Advanced Security vs Veracode

Compared 7% of the time

OpenText Core Application Security vs Veracode

Compared 4% of the time

OpenText Static Application Security Testing vs Veracode

Compared 4% of the time

More Veracode Competitors

Product Reports

Download OWASP Zap product report

OWASP Zap

August 2025

Download Veracode product report

August 2025

Also Known As

No data available

Crashtest Security , Veracode Detect

Overview

OWASP Zap is a free and open-source web application security scanner.

The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues.

With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.

OWASP

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
Scalability - Supports organizations with large-scale application portfolios.
Compliance support - Ensures applications meet various security standards and regulations.
Developer training - Provides tools for educating developers on secure coding practices.
Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.

Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Sample Customers

1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS

Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.