We compared Veracode and OWASP Zap across several parameters based on our user's reviews. After reading the collected data, you can find our conclusion below:
Based on the user reviews, Veracode is the preferred product over OWASP Zap. However, if you have a limited budget and technical expertise for setup and customization, go for OWASP ZAP. If you prioritize ease of use, a cloud-based solution, and you require a broader range of security functionalities beyond just vulnerability scanning, choose Veracode.
"The scalability of this product is very good."
"It updates repositories and libraries quickly."
"The solution has tightened our security."
"The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information."
"It has improved my organization with faster security tests."
"Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high."
"The interface is easy to use."
"The HUD is a good feature that provides on-site testing and saves a lot of time."
"We are using the Veracode tools to expose the engineers to the security vulnerabilities that were introduced with the new features, i.e. a lot faster or sooner in the development life cycle."
"Veracode is easy to use even if you're not a security professional. I like the dynamic analysis feature, which offers a lot of cost savings when used in production."
"The product’s policy reporting for ensuring compliance with industry standards and regulations is great."
"In terms of secure development, the SAST scan is very useful because we are able to identify security flaws in the code base itself, for the application."
"Veracode provides guidance for fixing vulnerabilities. It enables developers to write secure code from the start by pointing them to the problematic line of code, and saying, "This function/method has security vulnerabilities," then suggests alternatives to fix it. Then, we adopt their suggestions of the tool. By implementing it in the right way, we can fix the issue. For example, if the tool has found a method where it copied one piece of memory into another piece of memory in the code. The tool points to problematic methods with the vulnerability and provides ways to code it more securely. By adopting their suggestions, we are fixing this vulnerability."
"The security team can track the remediation and risk acceptance statistics."
"The most valuable features are that you can do static analysis and dynamic analysis on a scheduled basis and that you can push the findings into JIRA."
"It has given our management a view into issues with all of our product lines. We have three products and all of them were scanned. As a result, the project lead for each product has taken measures to improve things."
"The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."
"The product should allow users to customize the report based on their needs."
"The solution is unable to customize reports."
"ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline."
"Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation."
"Lacks resources where users can internally access a learning module from the tool."
"The documentation needs to be improved because I had to learn everything from watching YouTube videos."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"It can take time to find options if you don’t use the interface a lot. At some point, a bit of interface restyling may help."
"False positives are a problem. Sometimes the flow paths are not accurate and don't represent real attack vectors, but this happens with every application that performs static analysis of the code. But it's under control. The number of false positives is not so high that it is unmanageable on our side."
"In some cases we use their APIs; they're not as rich as I would like."
"The scanning takes a lot of time to complete."
"Their platform is not consistent. It needs a lot of user experience updates. It's slow performing, and they log you out of the system every 15 minutes, so using the platform is challenging from a developer's perspective because you always have to log in."
"I've found that Veracode is not particularly suitable for Dynamic Application Security Testing."
"In the future, I would like to see the RASP capability built-in."
"In the next release, I would like a proper way of packaging files for scanning and the packing of IOS apps and API Dynamic scan methodology."
OWASP Zap is ranked 7th in Static Application Security Testing (SAST) with 37 reviews while Veracode is ranked 2nd in Static Application Security Testing (SAST) with 194 reviews. OWASP Zap is rated 7.6, while Veracode is rated 8.2. The top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". OWASP Zap is most compared with SonarQube, Acunetix, Qualys Web Application Scanning, PortSwigger Burp Suite Professional and Checkmarx One, whereas Veracode is most compared with SonarQube, Checkmarx One, Fortify on Demand, Snyk and Fortify Static Code Analyzer. See our OWASP Zap vs. Veracode report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.