OWASP Zap Reviews

We use this product for vulnerability scanning and for testing. I'm an automation engineer. 

The HUD, Heads Up Display, is a good feature. It provides on-site testing and saves a lot of time.

We get too many false positives and that should definitely be improved. I'd like to see site scanning included in the solution because it can get into your hidden files and reports. 

I've been using this solution for one year. 

The solution is stable. 

The solution is not scalable. 

The initial setup is straightforward and was carried out in-house without assistance from a third party. 

It's worth exploring and learning the tool. It helps a lot to understand the vulnerabilities in the applications. I rate the solution eight out of 10. 

Our primary use case is for scanning. We have Bamboo, Nexus and Artifactory and we are able to make snapshots. When we get a pull request we're able to make another snapshot and we compare the two snapshots together and can see what is new in the pull request. We can see which libraries are there and that enables us to see the vulnerabilities. I'm an embedded software engineer.

I would say that the automatic update is a very valuable feature because we are able to update our internal data base. The pull request analysis is also very good.

The product is somewhat complicated and could be improved by simplifying it because you don't want to have to allocate one person to maintain the solution full time. We'd like to be able to deploy it and have it work. Ideally we'd like to be able to get a pull request analysis and the analysis of repositories. 

I think they could definitely work on a more simplified deployment. That would improve the product. The issues are not necessarily related to the solution but possibly connected to how it was initially set up. 

We've been using this solution for three or four years. 

Regarding stability, we have some issues in our product and we need to work on it. Something is wrong in the architecture, perhaps it's a bug. 

The initial setup was done before I came to the company. There are five people on our security team who discuss maintenance issues and try to solve problems. 

I would recommend this product to people although I think it is very difficult to deploy and we also have issues with maintenance.

I would rate this solution a six out of 10 in our environment. I don't think deployment was done very well in our company and that has affected the quality of the product. Perhaps if things had been done differently I would rate it an eight out of 10. 

• Very good open source security tool supporting the top 10 vulnerabilities (Injections, Session Management, XSS, Authentication, Authorization, etc.).
• Simple and easy to learn and master.
• Good online product documentation.
• Built in features include: Intercepting proxy, Plug and Hack support, Automated scanning, Passing scan, Fuzzer, Traditional and Ajax Crawling and Web Socket support and so on.
• Detailed reporting mechanism.
• The tool has been translated in 25 different languages.
• Can be executed through GUI, command line and also in Daemon mode with the help of REST API.
• Very good API support for automating security tests.
• Supports multiple platforms like Mac, Linux and Windows.
• It's easy to create add-ons and extensions to scale up the features of the tool.

We have leveraged our existing functional tests for security testing by integrating web driver scripts with the OWASP ZAP tool.

Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation.

6 months

Did not encounter any issues. It's easy to install and configure.

So far I am very comfortable and did not find any stability related issues.

It is scalable, by creating new extensions and add-ons for the tool. But we faced a couple of challenges initially which were solved with the help of online documentation

4/10

4/10

No

It is very simple to install and configure.

We have implemented this with the in-house team support.

Instead of creating a new framework for security tests, it helped us to leverage (reuse) existing functional test automation framework for security tests. This reduces lot of rework.

It is highly recommended as it is an open source tool.

No, we are happy with the features provided with this tool, but if you want to go with static code analysis for security tests, we need to find a different option here.

Very good and useful tool for security testing and penetrations testers.

We primarily use this product for web application scanning.

The interface is easy to use.

The documentation needs to be improved because I had to learn everything from watching YouTube videos.

I have been working with OWASP Zap for about three months.

I have not experienced any trouble in terms of stability.

Scalability has not been an issue, so far. There are four of us in the company that can log in to use it.

I have not been in contact with technical support.

The initial setup was straightforward. For me, I just had to press "Next" several times. Between the installation, downloading videos, and investigating how to deploy it, I would say that the process took roughly a day.

I did not require third-party assistance for the deployment.

This solution is providing us with value and as long as it continues to do so, we'll continue to use it.

This is an open-source solution and can be used free of charge.

This is a good product where most of the functionality is free, which is why I recommend that others use it.

I would rate this solution a seven out of ten.

The use case was we needed to scan our website to find out what vulnerabilities were present.

We use it to scan the website, then take a report about what vulnerabilities are present on it. Next, we will manually verify those vulnerabilities for false positives.

Every now and then, there is an update. They add new vulnerabilities to the scan list. That is where they just keep on improving.

The community support that ZAP provides me. As an open source, it provides me flexibility and is convenient to use.

As security evolves, we would like DevOps built into it. As of now, Zap does not provide this.

I would like to have more vulnerabilities added to the scan list, because as of now, it covers around 72 to 80. I need more because we need broader coverage.

Stability is good.

We have not scaled yet. Though, we should be able to scale.

I have not used any support for this solution yet.

The initial setup is straightforward, because we can integrate it directly into the SDLC.

The community edition updates services regularly. They add new vulnerabilities into the scanning list.