We changed our name from IT Central Station: Here's why

Which Would You Recommend To Your Boss, OWASP Zap or PortSwigger Burp?

One of the most popular comparisons on IT Central Station is OWASP Zap vs PortSwigger Burp?


Which of these two solutions would you recommend for Application Security Testing and why?



ITCS user
44 Answers

author avatar
Real User

Both have very powerful abilities. ZAP can be an advantage for free, but Burp's free version will work similarly. As someone who uses both, depending on the circumstances, one can be preferred to the other.

author avatar
Real User

I’ll have to ask my community. I have had just passing experience with PortSwaggler and I know OWASP has a list of website security best dev
practices to avoid Xsite scripting and other vulnerabilities.

MicroFocus just did a demo with me on their product Fortify. It runs static and dynamic code analysis using OWASP recommendations, in about 16
programming languages, including VBScript. They do not have integration with ALM yet.

author avatar

We use Rapid 7 for our dynamic testing. I do not have experience with the two below even though I went to a talk on Zap week ago and the person did warn this was not a tool to be using on production system since it would be putting some data in the database as part of its attacks so needed to be done in a test environment.

author avatar

I wasn’t aware of OWASP ZAP and we are using PortSwigger Burp in our software development company, so I would recommend Burp, but I’m already downloading OWAPS ZAP and will evaluate it to see the advantages/disadvantages.

Find out what your peers are saying about OWASP Zap vs. PortSwigger Burp Suite Professional and other solutions. Updated: January 2022.
564,322 professionals have used our research since 2012.