As part of my ongoing collection of reviews and thoughts on today’s Security Testing Tools, I’m taking a look at the Zed Attack Proxy (ZAP) by OWASP. While, my last review of WebSecurify, looked at a very simplistic tool for Web Application Security Testing, this review will bring us a slightly more complex tool.
So where do we start?
ZAP is a pretty easy to use integrated penetration testing tool for finding vulnerabilities in your web applications. Its designed for developers, testers and security experts, alike, by being designed for people with a wide range of security expertise. Ideally, as OWASP freely admits, this tool is best for developers and testers who are new to penetration testing. ZAP is available for Linux, Windows and Mac, so don’t let the platform get in your way of trying it out.
For a free tool, ZAP provides a lot of features including:
- Intercepting Proxy
- Automated Scanner
- Passive Scanner
- Brute Force Scanner
- Port Scanner
- and more…
So what’s the catch? There’s always a catch…
Well, the reporting tool may not be the best reporting tool in the world, but it definitely beats paying an arm and a leg for a product giving you the same results of a scan. This product is also maintained by the OWASP community, so your at the will of the community for any updates and the priority those updates are assigned in the queue. But let’s be real: You can beat free?
Try it out today, let me know your thoughts in the comments.