IT Central Station is now PeerSpot: Here's why

Compare Netsparker and OWASP Zap. How Do I Choose?

Nick Regan - PeerSpot reviewer
Senior Project Manager at IT Central Station

One of the most popular comparisons on IT Central Station is Netsparker Web Application Security Scanner vs OWASP Zap.

People like you are trying to decide which one is best for their company. Can you help them out?

Which of these two solutions would you recommend for Application Security? Why?

Thanks for helping your peers make the best decision!


PeerSpot user
55 Answers

it_user822309 - PeerSpot reviewer

Both of the sentences below are true.
In my opinion, Checkmarx is a complement of SonarQube for needs related to security control, and especially if you are challenged to respond to constraints like PCI standards. SonarQube and Checkmarx are well integrated, so you can easily imagine a big picture implying the two products. If a choice between the two solutions has to be done, there are a lot of pros and cons to consider, like SonarQube is more user-friendly, produce fully configurable views of the code quality, is an open platform which offers the capability of writing some plugins, covers languages like COBOL. However CheckMarx covers almost entirely security standards and has an analysis of a whole project (not only a source file), so the analysis is more complete. Moreover, CheckMarx can, with some limits, of course, suggest the best place in the code to fix security issues.
If the aim is to analyze the quality of code source, SonarQube is today a good choice. If you have to focus on security, consider CheckMarx. If you have to do the both, consider them both.

it_user700140 - PeerSpot reviewer

Netsparker and Owasp Zap are completely different in their operation.

Netsparker is apt for automated testing of application security for low and medium level findings whereas Owasp Zap is very specific for testing Cross-Site Request Forgery attacks. Whereas Netsparker is a paid iteration whereas Owasp Zap is available for free.

In this situation, I would recommend Netsparker for Application Security testing.

Harshit Agarwal - PeerSpot reviewer

ZAP has a good proxy too. Netsparker also has a good proxy but it is a paid product.
also, ZAP has a REST API which people can integrate it to scan web apps.

Overall I think if you are looking for something in opensource ZAP is best and if paid Netsparker is best.

it_user236706 - PeerSpot reviewer
Real User

ZAP is free and does a fairly good job...However, it requires manual intervention and lacks many of the features that a commertial tool provides..If cost is not a factor, you should go for Netsparker/ AppScan etc. Alternatively you can start with ZAP and see if it meets your requirement and plan to upgrade accordingly.

it_user755601 - PeerSpot reviewer
Real User

I could choose Owasp Zap application instead of Nesparker app. The reason is simple, the solutions are very similar but I could do the same things using Zap for free.

If I should pay for a complete tool, I could buy BurpSuite. That tool that could offer me more capabilities and extensions.

Definitely, I would like to choose Owasp Zap (it has a big community behind the project).

Buyer's Guide
Invicti vs. OWASP Zap
July 2022
Find out what your peers are saying about Invicti vs. OWASP Zap and other solutions. Updated: July 2022.
622,645 professionals have used our research since 2012.