One of the most popular comparisons on IT Central Station is OWASP Zap vs PortSwigger Burp?
Which of these two solutions would you recommend for Application Security Testing and why?
Both have very powerful abilities. ZAP can be an advantage for free, but Burp's free version will work similarly. As someone who uses both, depending on the circumstances, one can be preferred to the other.
I’ll have to ask my community. I have had just passing experience with PortSwaggler and I know OWASP has a list of website security best dev
practices to avoid Xsite scripting and other vulnerabilities.
MicroFocus just did a demo with me on their product Fortify. It runs static and dynamic code analysis using OWASP recommendations, in about 16
programming languages, including VBScript. They do not have integration with ALM yet.
We use Rapid 7 for our dynamic testing. I do not have experience with the two below even though I went to a talk on Zap week ago and the person did warn this was not a tool to be using on production system since it would be putting some data in the database as part of its attacks so needed to be done in a test environment.
I wasn’t aware of OWASP ZAP and we are using PortSwigger Burp in our software development company, so I would recommend Burp, but I’m already downloading OWAPS ZAP and will evaluate it to see the advantages/disadvantages.
I would like to know if nowadays (2021) the license of Burp Suite Pro is worth the cost. Is it a good option to use OWASP Zap instead for testing security in web applications?