We compared Veracode and OWASP Zap across several parameters based on our user's reviews. After reading the collected data, you can find our conclusion below:
Based on the user reviews, Veracode is the preferred product over OWASP Zap. However, if you have a limited budget and technical expertise for setup and customization, go for OWASP ZAP. If you prioritize ease of use, a cloud-based solution, and you require a broader range of security functionalities beyond just vulnerability scanning, choose Veracode.
"The solution is good at reporting the vulnerabilities of the application."
"It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."
"The API is exceptional."
"It scans while you navigate, then you can save the requests performed and work with them later."
"The vulnerabilities that it finds, because the primary goal is to secure applications and websites."
"The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, it's very difficult."
"The application scanning feature is the most valuable feature."
"It has improved my organization with faster security tests."
"Veracode enables us to build a strong data security layer in our platforms. We can increase customer confidence in data security. Some PCI/HIPAA compliance issues were impossible to resolve without Veracode."
"I like the way the flaws are reported in the system."
"The CI/CD integration is the most valuable feature of Veracode."
"Scanning of .war and .jar is key for us."
"The benefits are quick discovery and understanding of software vulnerabilities that we are putting in our own code. By discovering them quickly enough, we can triage them and determine the best ways to remediate them and prevent them from happening in the future."
"Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution."
"The article scanning is excellent."
"Veracode provides faster scans compared to other static analysis security testing tools."
"It doesn't run on absolutely every operating system."
"The documentation needs to be improved because I had to learn everything from watching YouTube videos."
"The documentation is lacking and out-of-date, it really needs more love."
"Reporting format has no output, is cluttered and very long."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"The reporting feature could be more descriptive."
"It would be nice to have a solid SQL injection engine built into Zap."
"The automated vulnerability assessments that the application performs needs to be simplified as well as diversified."
"They should improve on the static scanning time."
"I would like to see improvement on the analytics side, and in integrations with different tools. Also, the dynamic scanning takes time."
"The zip file scanning has room for improvement."
"We would like a way to mark entire modules as "safe." The lack of this feature hasn't stopped us previously, it just makes our task more tedious at times. That kind of feature would save us time."
"If Veracode was more diversified, as far as the number of platforms and the number of applications it could do in our favor, we would be using it even more. But there are a number of platforms it doesn't support. For example, I know they support C+, .NET, and Java, but there are certain platforms they don't support and that was disappointing."
"I'd like to see an improved component of it work in a DevOps world, where the scanning speed does not impede progress along the AppSec pipeline."
"It would be ideal if it was able to demonstrate higher levels of cybersecurity certifications like becoming FedRAMP compliant or working in those areas."
"The sandbox could use some improvement; when creating a sandbox, it requires us to put the application name in twice, which seems unnecessary."
OWASP Zap is ranked 7th in Static Application Security Testing (SAST) with 37 reviews while Veracode is ranked 2nd in Static Application Security Testing (SAST) with 194 reviews. OWASP Zap is rated 7.6, while Veracode is rated 8.2. The top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". OWASP Zap is most compared with SonarQube, Acunetix, Qualys Web Application Scanning, PortSwigger Burp Suite Professional and Checkmarx One, whereas Veracode is most compared with SonarQube, Checkmarx One, Fortify on Demand, Snyk and Fortify Static Code Analyzer. See our OWASP Zap vs. Veracode report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.