Security Testing: OWASP ZAP (Zed Attack Proxy)

This review introduces OWASP ZAP as a free, cross-platform security testing tool that balances beginner accessibility with a broad set of scanning and proxy capabilities. It highlights practical strengths, reporting tradeoffs, and where ZAP fits for teams starting web app penetration testing.

Coveros Staff

December 6, 2012

As part of my  collection of reviews and thoughts on today’s Security Testing Tools, I’m taking a look at the Zed Attack Proxy (ZAP) by OWASP.  While, my last review of WebSecurify, looked at a very simplistic tool for Web Application Security Testing, this review will bring us a slightly more complex tool.

So where do we start?

ZAP is a pretty easy to use integrated penetration testing tool for finding vulnerabilities in your web applications.  Its designed for developers, testers and security experts, alike, by being designed for people with a wide range of security expertise.  Ideally, as OWASP freely admits, this tool is best for developers and testers who are new to penetration testing.  ZAP is available for Linux, Windows and Mac, so don’t let the platform get in your way of trying it out.

For a free tool, ZAP provides a lot of features including:Zap Proxy

  • Intercepting Proxy
  • Automated Scanner
  • Passive Scanner
  • Brute Force Scanner
  • Fuzzer
  • Port Scanner
  • Spider
  • and more…

While it’s not a one button click and run, it’s definitely not too challenging to get going.  Utilizing ZAP reminded me a lot ofNetsparker Pro, down to how its organized and layed out.  The tools runs relatively quickly is light weight and has a clean interface, which helps when analyzing large amounts of data.  The coverage and detail is really good, and the comprehensive help pages would be very useful for a security novice.  On top of everything else, the results of the scans ran fairly similar to other scanners I ran.  While I can’t certify there are no gaps in security analysis, from my quick look the coverage seemed pretty strong.

Surprisingly it has some decent report generation features as well.

So what’s the catch?  There’s always a catch…

Well, the reporting tool may not be the best reporting tool in the world, but it definitely beats paying an arm and a leg for a product giving you the same results of a scan.  This product is also maintained by the OWASP community, so your at the will of the community for any updates and the priority those updates are assigned in the queue.   But let’s be real: You can beat free?

Try it out today, let me know your thoughts in the comments.

Related Blogs

Navigating the Technical Debt Crisis in Financial Services

Leveraging AI-Augmented Development to Mitigate Systemic Risk and Reclaim Operational Alpha

The ROI of Training

This article builds the financial case for investing in staff training, covering both hard metrics and intangible cultural benefits such as...

Using Hierarchical State Diagrams to Tame State Explosion Representation in Complex Software State Diagrams

As systems grow complex, flat state diagrams suffer from state explosion where the number of states and transitions becomes unmanageable for...

Building Scalable Resilient and Efficient Systems with the GitHub Well Architected Framework

Breaks down the Architecture pillar of the GitHub Well-Architected Framework, covering scalability, resiliency, efficiency, modularity,...
Coveros Staff

Coveros Staff

This post represents the collective insights of the Coveros team. Our staff consists of software experts who bring deep experience in secure agile development, DevOps, testing, and software quality. Over the past 20 years, Coveros has trained more than 30,000 professionals and worked with half of the Fortune 100 companies on mission-critical software development challenges. We draw on this extensive experience to share practical insights, proven strategies, and real-world solutions that help organizations build better software faster and more securely.