OWASP Zap Reviews

I use this solution for penetration tests.

It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).

It comes up in your browser and you have control of the program while you are on the website, in your browser. Everything that you can do in the program, you can do from your browser on the fly. It is similar to a targeted attack. You can see what you are doing.

It's a Java program installed on your computer.

The forced browse has been incorporated into the program and it is resource-intensive.

It was a copied program named DIR Buster Doorbuster. It needs to be improved, it's too resource-hungry.

I found another program that is written in the Go language and it does the same thing, but it is much faster and more efficient. It will crash those proxy programs within Zap if you do more than one, it will take forever.

It needs to be rewritten, maybe not in Java.

I have used OWASP quite a bit. I have dealt with this solution for quite a few years. My usage has not been constant, but it has been quite a while.

We are dealing with the most recent version.

It creates a database of all the URLs and it can get a little overwhelming. 

With a large website, you have a lot of URLs, it gets a bit sluggish when loading and saving it, but it really works quite well. It goes in and out of it and goes too slow. It takes a little while to save all of that data.

It's a scalable product but its' slow.

I have not contacted technical support.

It has a very good forum on the website. The users help each other. It's helpful and resourceful.

I have used several solutions, such as Nessus, WebInspect, and Retina. The retina is a network scanner but OWASP is the best.

It's quick to set up. You can install it in different ways. I run it on Linux, Debian and I have run it on Windows as well.

OWASP Zap is free.

I was making a comparison between OWASP and Acunetix to see what the differences were.

I used to work with Homeland security back 10, 15 years ago, in the national cybersecurity division starting up right after 9/11.

I was on that national cybersecurity team. One of the things they looked into was funding using government money to fund some of these security operations or projects. They decided, and I helped decide, that it would be right for the government to support open-source systems or products because they're not making money out of that market.

One of the people in the government got involved and helped to get it started. I don't know if they still have a list on their website of donors or contributors, but you can look on that list pretty easily and see if Homeland security is still supporting them.

I assume it is because it's really well run. It's constantly evolving new versions coming out with new features. It's very well managed and the lead person on it is very sharp. You can go on YouTube and search for a proxy and you will see some deep-dive tutorials. He did a really good job.

There is a lot to this solution. You can use it superficially, but you need to spend a lot of time learning it. It has a lot of options and a lot of angles.

I would rate OWASP Zap a nine out of ten.

We use OWASP Zap for web application security scanning.

They offer free access to some other tools.

Zap could improve by providing better reports for security and recommendations for the vulnerabilities. Additionally, they should allow more testing other than web applications, such as on the cloud and VMs.

I have been using OWASP Zap for approximately three months.

I have used other solutions, such as AngularJS.

The installation is straightforward.

This solution is open source and free.

I have been evaluating Armor for my teammates who are using ZAP. I have found that Armor is better than ZAP and we are looking to switch solutions.

I rate OWASP Zap a six out of ten.

The solution has certain models. It allows the creation of a pipeline in respect of the interface or of certain content. It enables one to check that the security is as it should be. 

The solution enables a person to add the certificate and check the queries, to see if there are any that are undefined. This way, a person can have a list of the types of queries and can trace them. 

The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed. 

We have been using OWASP Zap for more than four years. 

The computers perform somewhat slowly when loading a large number of queries into memory. As such, I don't know if it will be possible to use cache on the disk, which would greatly increase performance. 

The solution is scalable. It can be run simultaneously for different targets. 

I have not had experience with using technical support. I make use of a public community on the public website.

The initial setup is a bit complex, not straightforward. It could be made easy if, lets say, a project can be defined for a certain task through the project's creation. This may simplify its use. 

Zap is a very good startup. There is an alternate solution that is a bit more expensive and requires more technical knowledge than OWASP Zap, although both have a model based configuration. The interface allows one to run predefined templates, something OWASP Zap has in common with the other solution. The automation capabilities are similar, as well. 

I used the source code design for the deployment.

I have not had experience with the code crawler, OSWAP Zap code analysis. The solution I was using is run by a search engine. My clients utilize OWASP Zap AST. They do not make use of the code crawler. 

I rate OWASP Zap as a six out of ten. 

We are using this product at a very basic level to scan reports and then share them with the Dev team for any vulnerabilities. We use the open source version and we are end users. 

The solution has improved company functioning to a certain extent, but it takes a lot of time coordinating with the Dev team because we are using the open source version and not the enterprise version. It's not an awesome solution but we do get the reports we need and there is a good amount of documentation and support. 

The automatic scanning is a valuable feature and very easy. The major advantage to this solution is the privacy it offers. We are able to achieve our objectives to some extent, but only for non-business critical applications.

The reporting format could be improved. There is no output, it's cluttered and it's a very, very long report. It would be better if it were in PDF format with a short description, some findings, color coding, and easy to read. What we do now is analyze the HTML report and then rewrite our own shorter reports. I work for a Japanese company and they want the important information to show up. The reports do not really give us recommendations or the points where the vulnerability is coming from so I'd really like to see an improvement in the condition of reports. We should be able to call an API from somewhere and scan applications.

I've been using this solution for about one year. 

The product is not that stable and sometimes I have to re-install it and contact the internal IT team. I don't have the admin rights on the laptop. Some features can break down, for example, the browser on the scanning might not open. Slowly our team will be moving towards more critical projects coming from the U.S., Japan and India, so we are definitely planning to upscale. In the next financial year, we're planning to upscale and make it more rigorous.

We are using the open source version so we have no technical support for now.

The installation is very simple. It's just an executable file because for now, we are not using it as a part of CACD or anything else. We have just installed the open source version on the laptop which has simplified things; our toolbox opens up and we just give the URL and it does an automatic scan. So information wise and operational wise, it is easy now. Our team carried out the deployment by first reading, watching videos and taking various courses. We had help from the company security team.

I carried out an evaluation between Checkmarx and OWASP Zap.

If you are working in a very big gaming company and you have the budget, then I'd suggest switching to the enterprise version because the open source version takes time to resolve the regulations and there are sometimes false positives. It takes a lot of effort to figure out how to resolve the vulnerability and then search the same thing in the code. If you're not from the development team, then a lot of coordination is required. Without any support, we are in a black hole sometimes. Some attacks can be very dangerous for the company and for the application. They create delays and I've had to learn how to deal with that. 

I rate this solution a six out of 10.

Currently, we deploy these tools to serve in a few of our services in the organization.

The solution is very easy to use.

The initial setup is straightforward.

The solution is free due to the fact that it is open-source.

The stability of the solution is very good.

The product has a strong community surrounding it to help with issues and troubleshooting.

The technical support could be improved. It doesn't offer traditional technical support at all.

It would be a great improvement if they could include a marketplace to add extra features to the tool. It would make it more customizable and allow users to add more features as they like.

I've been using the solution for a while. I've used it at least over the last 12 months.

The stability of the solution s very good. We've never had any issues. It's been reliable. There are no bugs or glitches. It doesn't crash or freeze.

While the solution can scale to a certain extent, it cannot scale a lot. This is not one of the strengths of the product.

We only have one user that is engaged with the solution currently.

OWASP is an open-source solution. There's a big community surrounding it, however, it does not have traditional technical support. The main support comes from the community itself. If you have questions, you can find them there, or ask the community for feedback.

We previously used the PortSwigger Burp Suite. It's a commercial version with support. We had to pay for the solution on a yearly basis, whereas OWASP is open-source and free.

We found the initial setup to be very straightforward. It's easy. It's not complex. A company shouldn't have any issues with the implementation process.

The deployment only took half an hour. It wasn't more than that. The process is pretty fast.

YOu do not need a big team to handle the deployment process. We only used two.

We deployed the solution ourselves using an in-house team. We didn't need the assistance of consultants or integrators from outside firms.

The solution is open-source. It doesn't cost anything to use it.

We are a customer and end-user of the product.

There's lots of information online for users who are curious to learn more about the product.

In general, I would rate this solution at an eight out of ten. We've been largely satisfied with the product overall.

Currently, we build our products for the banking industry and use this solution in that process.

From a development cycle, we update the SQL injections that basically shows what a developer may have to address. Then, if there is still a problem, we're concerned at the architect level. That's at least initially reported by the customers when they do another round of review after we deliver our code. 

The solution is good at reporting the vulnerabilities of the application. 

It can help us with security, SQL injection vulnerability, known vulnerabilities, et cetera. Any kind of a threat that we get in the development cycle, is what we will look for. This solution helps us find them.

I can't recall any features that are lacking. In my role as a service provider, I only go up to standards defined by somebody else. So far, this solution has met their standards.

So far I've not come across a scenario where we had to do anything that's a major rework due to the fact that we didn't catch something soon enough in the queries that we are using.

It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful.

Right now, I can't give it off to a team and expect them to give me a report that I'm happy with. I will give it to a team and they will have to have another person sit with them to make sure they have configured it right. Some kind of pre-designed templates, pre-designed guidelines, or patterns to compliment the tool would go a long way in helping us use the solution.

I've been using the solution for five or six years at this point.

From the perspective of the development cycle that we use, we find it stable enough. I don't use it in production or I don't have to update sites running all the time. Once a week when I will build a VM pack, I push into another environment, and that's probably the time I would make it. For me, I find it to be stable enough.

I haven't really used technical support. Therefore, I can't really speak to their level of responsiveness or knowledgeability.

I'm not a security specialist, however, to be clear, we provide services. On a development project, we frequently run into various solutions. It's not just OWASP. It could be Veracode, for example, or multiple other tools. 

The initial setup is not necessarily straightforward. Most are complex. You need a senior person to specialize, understand the set up in which they are running, and understand the tools they are going to use. You need to ask: do they know what to look for and support? I wouldn't say it's complex to use. That said, normally the resources are costly.

In security, you'd expect the product is priced at a premium, so people don't check the pricing for the most part. In my case, I don't buy the product myself. I have the customers buy it for me. I'm not very worried about the price as a consultant.

We are an IT service provider, which means that we use a variety of tools based on what our customer preferences are. 

There's all, at most, I would say, about 20 companies that we would have the funds to use the solution with. OWASP is definitely in the top three as a tool that we would probably recommend to our team, as a frequent users' tool, however, I don't believe we have any kind of a formal relationship with the company. 

Multiple teams use it. I have not heard of anybody complaining about anything to do with this particular solution. I would say it's pretty good. I would give it a rating of eight out of ten.

We primarily use this product for web application scanning.

The interface is easy to use.

The documentation needs to be improved because I had to learn everything from watching YouTube videos.

I have been working with OWASP Zap for about three months.

I have not experienced any trouble in terms of stability.

Scalability has not been an issue, so far. There are four of us in the company that can log in to use it.

I have not been in contact with technical support.

The initial setup was straightforward. For me, I just had to press "Next" several times. Between the installation, downloading videos, and investigating how to deploy it, I would say that the process took roughly a day.

I did not require third-party assistance for the deployment.

This solution is providing us with value and as long as it continues to do so, we'll continue to use it.

This is an open-source solution and can be used free of charge.

This is a good product where most of the functionality is free, which is why I recommend that others use it.

I would rate this solution a seven out of ten.

I'm a business analyst and we're a customer of OWASP Zap. 

The valuable features are that it's very simple to use and the user interface is very good, particularly for beginners so they can start the application easily. It's enough to refer to an online tutorial to be able to start using this application. It's not very complex.

I'd like to be able to explore more and improvements could be made in that area because for now I'm only able to explore the manual testing feature. I'd also like to see an improvement in test reports because we get too many false positives. 

I've been using this solution for the past few months. 

The stability is okay although we get many false positives when pulling out test reports. 

The scalability is very good. 

I haven't needed technical support to date and I haven't yet started using the community support.  

The initial setup wasn't very complex. You're supposed to install a JDK, Java file. I think implementation took about an hour. There are seven people in the company using the solution and maybe in the coming days there will be more. 

I would definitely recommend this product provided the company can provide more clarity on the false positives that we get. 

I would rate this solution a seven out of 10. 

Our primary use case is for scanning. We have Bamboo, Nexus and Artifactory and we are able to make snapshots. When we get a pull request we're able to make another snapshot and we compare the two snapshots together and can see what is new in the pull request. We can see which libraries are there and that enables us to see the vulnerabilities. I'm an embedded software engineer.

I would say that the automatic update is a very valuable feature because we are able to update our internal data base. The pull request analysis is also very good.

The product is somewhat complicated and could be improved by simplifying it because you don't want to have to allocate one person to maintain the solution full time. We'd like to be able to deploy it and have it work. Ideally we'd like to be able to get a pull request analysis and the analysis of repositories. 

I think they could definitely work on a more simplified deployment. That would improve the product. The issues are not necessarily related to the solution but possibly connected to how it was initially set up. 

We've been using this solution for three or four years. 

Regarding stability, we have some issues in our product and we need to work on it. Something is wrong in the architecture, perhaps it's a bug. 

The initial setup was done before I came to the company. There are five people on our security team who discuss maintenance issues and try to solve problems. 

I would recommend this product to people although I think it is very difficult to deploy and we also have issues with maintenance.

I would rate this solution a six out of 10 in our environment. I don't think deployment was done very well in our company and that has affected the quality of the product. Perhaps if things had been done differently I would rate it an eight out of 10. 

We only tried out the demo to see what the solution offers and how it performs overall business scanning. They also offer open-source projects.

There is definitely room for improvement. I prefer Burp Suite to OWASP Zap because of the extensive coverage it offers. I also think it should have an open-source tool. I would also love to see an improvement in visibility.

The OWASP Zap solution was very stable during the few days we used it.

The scalability of this product is very good.

I will rate this product a seven out of ten, because I think the visibility needs to be improved, and the support person needs to do a better job. What's more, additional features, like domain support or different authentication support also needs to be improved.

The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information.

I'm still in the process of exploring.

I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help.

I would rate this solution as 7 out of 10, as I am still in the process of exploring. So far I think it's fine, but I think I still need to explore it a bit further and try to do a more comparative analysis.

We primarily use this application for web application spidering and vulnerability assessment.

The most valuable feature is the spidering because, being a security person, it is very important for me to know each and every section of that application, so we cannot afford to miss any single web page or any single link on a particular website. The spidering mechanism is very good.

The automatic scans need improvement. The automated vulnerability assessments that the application performs needs to be simplified as well as diversified.

The solution is very stable. Presently there are only around three people including me using this particular solution. I really don't think we would be needing anything more than these as of right now.

I would say that scalability doesn't apply to this particular application. 

Presently there is only community support available, and we are able to solve a lot of problems using the documentation with community support.

Yes, we actually use a couple of different products but there is one specifically that we use, which is the Burp Suite.

The initial setup was very straightforward.

This app is completely free and open source. So there is no question about any pricing.

I would recommend that you should go through the documentation really well. That's it.

I would rate this product 8 out of 10.

I focus on software application security. In most of the scenarios that we come across, the customers want complete assurance on security of their platforms/products/applications. Clients reach out to us for our abilities to unearth security issues.

I get to use these tools to assess products/platforms before they go live to the market.

We recently ran into an issue where we had to test the OAuth token validation, where the REST API calls had OAuth token change every time a request was being sent. Somebody from the support community had contributed a sample code to accomplish this. In terms of the community support that is available, OWASP Zap has great set of features to use.

The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool and at the same time give a comprehensive report with great confidence to the client for helping them in their go-live decision. In terms of technical supremacy, I would put PortSwigger's Burp Suite ahead in terms of the ease with which I can retry the request with different combinations or conduct different attacks.

OWASP Zap has the award for best token authentication. A lot of applications are getting into this space where there are token barriers. Moreover ZAP Proxy security scans are excellent providing a comprehensive coverage.

One area where the tool can be improved is specifically,  if there's some more intelligence that can be added on to the reporting feature, it would be great. 

There's some element of intelligence that can be built into it as to how reports can be generated. Currently, there are only a few ways, i.e. a couple of templates with which you can generate these reports. If there are additional templates that could be put in place, the reports would come out very well, and we'd be able to edit it along reading the report.

That could be good for us to make it through. Because that is an area that we've seen typically, where it's common in the other tools. We run the test. We run the scans. We do the vulnerability assessment, analyze their impacts and then we generate the report.

There's the element of documentation that we need to create along with that. If there is a provision to enter inputs like below as part of report generation:

• Project information
• Client name
• Organization name
• Platform against which this test has been done
  

If these small inputs can be handled, at the end of the report, I would have a customized report which I could easily give across to the customer.

Today it's this is something not easily available in not at that level in the tool. In the reporting presentation format, Acunetix tool has a much better "look and feel" appearance. The clients love it when we do it in that.

The only place that I faced issues with the OWASP was testing for a large broadcasting company. The number of requests that come forward is quite large. When the requests are quite huge, we found that ZAP Proxy tool tends to be a little more slow to respond. We're not sure whether it's progressing at the background or whether the application is frozen. We have faced the encounter when we are sending in large payloads, i.e. the multiple requests pull through defensive issues there.Other than that we have not seen significant issue with the tool.

Currently, we have three of us who have been using the OWASP Zap proxy tool. There are times when we even propose this ZAP proxy tool to customers. Sometimes, we get requests from clients who want us to use a specific solution like Acunetix, BurpSuite. 

For the choice of which tool to use in the long run, the decision is driven by the customers. When customers ask us for a tool recommendation, we do a security tool comparison analysis, and make a recommendation that best suits them, explaining the pros and cons of each tools. i.e when you use a solution like OWASP Zap versus going on with a tool like Burp Suite or Acunetix. 

For OWASP, I've been only looking at their community, but I felt that PortSwigger has much better tech support. In terms of community support, OWASP Zap is very much there.

For example, we expected PortSwigger to have OAuth token to be available by default, but that was not on their product road map. Fortunately for us, we had somebody from the community who had created several extensions which were a great help to us.

In terms of product support, I would say, Port Swigger support has been very good. 

The initial setup of OWASP Zap was straightforward. That's not an issue at all with OWASP.

As far as pricing concerns, for value in the commercial solutions when it comes to security testing tools, it is Burp Suite. Some Burp Suite licenses are available for $300 over a 1-year term, which is pocket-friendly for us. We feel that PortSwigger Burp Suite is the best value for the money that we get. When it comes to clients looking for non-commerical licenses, OWASP Zap tool is the best fit.

When people are trying to make use of OWASP Zap, I would advise first read through and understand the OWASP vulnerabilities very well. Then start looking at features, tutorials of the OWASP ZAP Proxy that are made available online.

There are a lot of YouTube videos, articles in the internet that talk about how to use the tools. These are quite easy to understand. Do a small POC. Pick an application which is already having vulnerabilities and assess the application around with the ZAP Proxy tool.

In terms of ZAP Proxy tool ease of use, I would rate it nine out of ten. 

Our primary use case of this solution is to scan and check that the applications we put on the internet are safe and secure.

This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we are doing large deployments, we might get a professional security partner in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes the process easier and safer.

Automatic scanning after a manual walkthrough is the most valuable feature. 

I would like for them to make it easier to understand exactly what has been checked and what has not been checked. We have to trust that it has checked all known vulnerabilities on all parts of the webapp, but it's a bit hard to see that after scanning. 

I would also like for them to develop graphical reports on the scan. Based on the log, some graphical drawing could show what part of the site has been tested. I would like to see that it has tested everything that we wanted to test.

Good.

In terms of scalability, I only tried it on small applications, so I don't know, but it seems very quick. We have plans to increase usage and to also support APIs and not just the applications. All applications that will be exposed to the internet are scanned. The ones that are used internally, in the organization, are not scanned at this point in time.

I never had to reach out to their technical support. The internet forums are great. There's so much open information on the internet so you don't really need much else. 

We tried PortSwigger Burp suite, but only briefly. We have also used IBM AppScan for a while.

The initial setup was straightforward. We didn't have to do much. There was an easy to follow guide online and there was not much to do other than to follow a straightforward tutorial. Deployment took around an hour. 

I implemented it myself. 

It's free. It's good for us because we don't know what the extent of our use will be yet. It's good to start with something free and easy to use.

We ran IBM Appscan for a year, but it was expensive and did not deliver more value. Veracode was pretty much the same and cost the same. We then also looked at PortSwigger Burp Suite Pro, which is at a better price point and a very good expert tool. Though at this point in time, given our needs, it does not seem to give us any advantage over ZAP. Also, the forums and the internet community is excellent on ZAP and it's free.

I would advise someone considering this solution to try and read about it on internet forums and see if it fits your needs.

I would rate this solution an eight out of ten. It does what it says it will do and it's not hard to set up. It is also easy to use both automatically and manually and has a plug-in into every major build-tool, like Jenkins , Gitlab and others. You can automate it through a building process.

It is a security tool. We use it for application testing. 

It can be used effectively for internal auditing. We use it to detect f/p (false positives). 

It needs more robust reporting tools that can be in an editable form. 

This is a good, stable product. 

We have not used technical support. 

We looked at Arachni and Acunetix.

The use case was we needed to scan our website to find out what vulnerabilities were present.

We use it to scan the website, then take a report about what vulnerabilities are present on it. Next, we will manually verify those vulnerabilities for false positives.

Every now and then, there is an update. They add new vulnerabilities to the scan list. That is where they just keep on improving.

The community support that ZAP provides me. As an open source, it provides me flexibility and is convenient to use.

As security evolves, we would like DevOps built into it. As of now, Zap does not provide this.

I would like to have more vulnerabilities added to the scan list, because as of now, it covers around 72 to 80. I need more because we need broader coverage.

Stability is good.

We have not scaled yet. Though, we should be able to scale.

I have not used any support for this solution yet.

The initial setup is straightforward, because we can integrate it directly into the SDLC.

The community edition updates services regularly. They add new vulnerabilities into the scanning list.

OWASP ZAP is a very useful, light tool for beginners to learn how to “spider” across websites. It is easy to configure and generate reports. There are other solutions for more mature, experienced security analysts and testers, who are capable of extending the coverage of a security assessment.

It is most frequently used to review HTTP methods, how are they constructed and if there is sensitive information in the traffic, such as how HTTPS certifications work on the website, scanning open ports visible via the web, and trying to modify HTTP methods to add or delete requests.

I have used OWASP ZAP as part of my portfolio of security tools since 2013.

Using this tool, it helps enhance and speed the process of covering big applications with many functionalities. It scans while you navigate, then you can save the requests performed and work with them later. Also, you can pass these requests to colleagues involved in the same security assessment to increase the monitoring as well as avoid extra work.

• Interception of proxy traffic
• Session comparisons
• Port scanner
• Fuzzing
• Brute force
• Cookie management

I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word list, or manually created.

We have had stability issues a few times. You need to do extra configurations on the tool to make it catch traffic with different browsers. Otherwise, it won’t display any requests.

No scalability issues. I found this to be a very flexible tool.

OWASP ZAP has a forum to help out customers and analysts, as well as an interaction with other experts for a quick process of “Question-Answer”.

OWASP ZAP is one of the solutions that I use. For simple tasks, I use Fiddler. For other advanced techniques, I use the Burp Suite. I would say OWASP ZAP is a really light, useful tool in the middle of the other two mentioned.

Initial setup was pretty straightforward; nothing complex.

OWASP ZAP is a free tool provided by OWASP’s engineers and experts. There is an option to donate.

As mentioned, BURP Suite and Fiddler are two other great options. OWASP ZAP excels for what it does and for how smooth and light the tool’s learning curve can be.

This is a very mature tool. It is capable of facilitating the work of many security experts. I highly recommend it for beginners and advanced users when some other tools fail to catch traffic.

Security/penetration testing of a Java-based Web application which is served over a SaaS platform.

Zap has been integrated as one of the important tools in our QA cycle. All beta releases of our software go through Zap scanning. Custom reports are generated - they are pretty decent and standardized - and are submitted to upper management for auditing by a third-party.

We save a significant amount of money on third-party security auditing time.

We are also able to minimize most of the security threats for our software prior to releases, thus saving a lot of time on security fixes and post-release path builds.

Fuzzer and Java APIs help a lot with our custom needs.

It would be nice to have a solid SQL injection engine built into Zap.

No stability issues for us, so far.

No major problems in terms of the scalability of the software.

Community support and documentation are good.

Setup of Zap is relative easy and straightforward for any technical person, with good documentation to configure it according to your needs.

As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out.

We evaluated several other packages prior to OWASP Zap, such as Burp Suite and Acunetix. We finally moved to Zap as it is open-source and provides almost all the features and the customization that we need.

I would rate it an eight out of 10, based on the usability and variety of features provided. It is highly customizable in terms of usability and reporting, and all of this is available in a free solution.

I tested this application for a bank and public projects. Now, I am testing products.

It has improved my organization with faster security tests.

• Automatic scanner: It makes work easier. 
• I like the new solution, ZAP Browser Launch. 
• Automation script

The port scanner and Zap could not send a request several times, but this has been corrected.

It is a very good product. Though, the port scanner is a little too slow.

The vulnerabilities that it finds, because the primary goal is to secure applications and websites.

When I checked the CVE and MITRE databases, that gives the latest attacks that are out there for a particular software, hardware and how to protect against it.

It's possibly just a limitation of the product itself but sometimes it won't scan a particular website so you have to manually go in and make some configuration changes.

Also, it needs to have more feeds such as from the Darknet, RSS or intelligence like US-CERT, or some of those like NISTs or other standing bodies because right now it's got some CVEs in there but there's more to it than just that. So if it could tie into those, somehow, so you could do some research, like a "research tab" under tools and some one-click access to those forums and feeds.

In addition, it doesn't run on absolutely every operating system.

Five years.

As far as stability goes, perhaps if you're running it in a Kali Linux virtual machine, sometimes it doesn't close out right away so I don't know if it takes too much time to flush that RAM out. It won't crash but it will lag. On Windows, it'll just close right away.

Not at this point. Normally I just play with it on Windows but lately I've been using it on Kali.

I haven't used it. If I have a question I'll just Google it.

Also, if you go into a forum, while that's kind of like calling a human, you're really not. It's a very well developed and very mature forum with a lot of people from different organizations all over the world, so it's top notch.

I use a lot of different tools, the right tool for the job. Burp Suite, IBM Security AppScan, InMap, NIKTO, Wpscan. Depending on what you find, you might have to use better tools so OWASP Zap. I don't know if it's copyright infringement or not, given that it's open source, but it's possible they could build someone else's tools into the GUI of OWASP Zap. As the months and years go by, you'll probably see more features in there.

I'd have to say Burp Suite Pro, which is the licensed, paid-for version, is better but that's just because it's got more funding.

If you're talking about Kali, which is the Linux Pentesting operating system, it comes built in. The only thing you have to do is update it from time to time and you can automate that with like a cron or a script. With Windows you have to download it manually, install it manually and check for updates.

Burp Suite. It's part of the pool in terms of the tools that do the job, whether they're free or commercially based. So Burp Suite and Nikto, and WPScan, that's for WordPress. They're all website security checkers per se, but they're not all created equal, some are specialized for certain things.

If you're a company and you've got your own websites, internally and externally, it's great. It's a great free, open source tool to get your security staff and even your web developers to use it. If you already have a mature SDLC framework in place or web development, then maybe you should get even maybe more serious and buy the Burp Suite Professional license or other tools out there like Acunetix.

But overall I think it's a great product. It finds, I'd say, 90% if not more of the things that it needs to and helps you remediate any security findings.

The API is exceptional.

I can provide examples of how OWASP Zed Attack Proxy (ZAP) has been used inside many of my customer's environments. I've set up Security Regression testing using the ZAP API and written about how this is done in my first book.

I've also spoken and run many pieces of training on setting up Security Regression testing with the ZAP API.

The documentation is lacking and out-of-date, it really needs more love. This is a common scenario with developers running many open-source projects. The community is trying to help with this. I've done my part with providing details on how to use the ZAP API for Security Regression testing. I think ZAP is now sponsored by the Linux Foundation.

I have used this solution for around six to seven years.

There were no stability issues, it has been in production-ready for a long time.

There were no scalability issues, ZAP is a very fully featured HTTP intercepting proxy with many types of attacks targeting a plethora of known vulnerabilities. The OWASP Top 10 receives good coverage with ZAP. The REST API scales as far as you have resources. ZAP also has a docker image.

Technical support is excellent. The maintainers have gone well beyond what would be expected of any open-source project maintainers. They have personally worked with my customer projects to help on some of the issues we had with some legacy HTTP applications that had communications that were difficult to reason about. ZAP was not at fault at all, but the maintainers were very passionate about making sure I got the security regression system working well.

I've used many HTTP intercepting proxies, ZAP is one of the few that has an excellent API to program against. Using ZAP manually is also very fully featured.

Using the API was initially difficult to set-up, not because the API was difficult, but working out the incantations that needed to be sent. You can see these in my code.

It's free and open, currently under the Apache 2 license. If ZAP does what you need it to do, selling a free solution is a very easy.

I've been evaluating all the well-known HTTP intercepting proxies for years, as I have mentioned earlier, ZAP is the only one that has a fully featured REST API. It also has API clients written in many languages.

Don't re-implement it, just use it.

It's an excellent solution, i.e., driven by committed and passionate security focussed developers.

• Very good open source security tool supporting the top 10 vulnerabilities (Injections, Session Management, XSS, Authentication, Authorization, etc.).
• Simple and easy to learn and master.
• Good online product documentation.
• Built in features include: Intercepting proxy, Plug and Hack support, Automated scanning, Passing scan, Fuzzer, Traditional and Ajax Crawling and Web Socket support and so on.
• Detailed reporting mechanism.
• The tool has been translated in 25 different languages.
• Can be executed through GUI, command line and also in Daemon mode with the help of REST API.
• Very good API support for automating security tests.
• Supports multiple platforms like Mac, Linux and Windows.
• It's easy to create add-ons and extensions to scale up the features of the tool.

We have leveraged our existing functional tests for security testing by integrating web driver scripts with the OWASP ZAP tool.

Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation.

6 months

Did not encounter any issues. It's easy to install and configure.

So far I am very comfortable and did not find any stability related issues.

It is scalable, by creating new extensions and add-ons for the tool. But we faced a couple of challenges initially which were solved with the help of online documentation

4/10

4/10

No

It is very simple to install and configure.

We have implemented this with the in-house team support.

Instead of creating a new framework for security tests, it helped us to leverage (reuse) existing functional test automation framework for security tests. This reduces lot of rework.

It is highly recommended as it is an open source tool.

No, we are happy with the features provided with this tool, but if you want to go with static code analysis for security tests, we need to find a different option here.

Very good and useful tool for security testing and penetrations testers.