OWASP’s ZAP is a free, open-source DAST scanner widely used by security professionals around the world to find web application vulnerabilities. SOOS’s DAST scanning abilities are built on ZAP’s foundations, but with added features that makes automated DAST scanning an affordable and seamless part of your software development cycle. SOOS makes it easy to add DAST to the software security mix.

The OWASP organization’s ZAP (Zed Attack Proxy) tool is far and wide the most widely used and respected open source Dynamic Application Security Testing (DAST) tool. It scans your web applications by navigating through your pages and their states, gathering data and running tests that simulate the real time attacks of a hacker. Some of the most dangerous vulnerabilities out there–cross-site scripting, SQL injection, and other forms of remote code execution–can be found using ZAP, including the recently disclosed Spring4Shell vulnerability. These are the security flaws that cost businesses billions in lost revenue as their assets are stolen, leaked, or held for ransom. ZAP is continually evolving, with contributions from a widespread community of users and engineers.tl;dr SOOS vs ZAP: SOOS automates, integrates, and disseminates DAST, simplifying and shifting AppSec left.

SOOS vs. ZAP

Feature

VULNERABILITY SCANNER (DAST/SCA)

HTML App DAST Tests

Single Page App DAST Tests

Incorporates Industry-Standard Open Source ZAP Scanner

Just in Time Generation of OAuth Tokens

Includes Leading SCA Vulnerability Scanner (>12 languages/packages)

REST API & SOAP Testing

GraphQL Testing

Vulnerability Scans for Known CVEs in OSS Packages

Open Source License Management

SBOM Generation with Vulnerability Data

INTEGRATIONS

Integration Helpers for Leading CI/CD Systems

Fix Management with GitHub Issues or Jira

Auto Scanning on Build/Branch Changes

Script Configurations

Vulnerability Remediation Management and Triage Documentation

Full Scan History

Push Scan Results to GitHub Security Panel

SARIF Output Support

RKVST SBOM Hub Integration

DEVELOPMENT TEAM EXPERIENCE

Easy Branch Setup and Configurations

OpenAPI Integration for API Testing

Robust Scan Information Pushed to Build Output

Role-Based Dashboard for Engineering/Legal/Security Viewers

Support

Easy Setup

There are quite a few ways of using ZAP–one of the most common being downloading and installing the desktop app on your computer, as well as through command line interfaces (CLIs) or docker images. However, all of that is how one individual might install and deploy ZAP–the question is, how does this become a useful app sec tool that can inform the decisions not just of software developers, but of the disparate group of stakeholders, from engineering to product management to legal? Not everyone needs to be a certified pen tester, but demystifying application security as broadly as possible brings the whole “secure by design” ideal just a smidge closer to reality.

SOOS’s integrated DAST scanning is built on top of ZAP’s fantastic open source tools, but includes full integration capabilities to make using ZAP easy and automatic for the engineering team. SOOS DAST scan can be seamlessly integrated into your CI/CD systems, allowing you to make it fully part of your DevSecOps pipeline. This means that when product and branch builds are completed you can kick off an automatic DAST scan and break a build or notify the engineering team of any issues.

As awesome as ZAP is, being an open source project means that it’s supported by a team that is (mostly) volunteers, and while they crank out great features, there isn’t traditional tech support. Most commercial DAST options often charge by the seat (user), or by the scan, or even by the number of endpoints being tested, and end up costing thousands of dollars per month, and often with substantial limitations on concurrent scans and usage-growth potential.  SOOS removes these limitations and also includes our core Software Compositional Analysis (SCA) scanning tool, with no seat limits and no concurrent scan limits.  Check out a demo of our DAST product here. 

Key differences between SOOS DAST and ZAP:

• SOOS DAST includes SOOS’s world-class SCA tool
• CI/CD integration with popular platforms such as Jenkins, CircleCI, TeamCity, Azure DevOps, GitHub, GitLab, and more 
• Issue management—native Jira or DAST GitHub Issues integration support for tracking
• Includes unlimited Software Composition Analysis scans
• Graphical scan history for auditing and research
• Reporting, including SBOM generation
• Rich web vulnerability dashboard consolidates DAST & SCA scan results
• Configurable user access levels allow your whole team to access the web dashboard while maintaining “least privilege” principles
• Robust advisory information and security recommendations
• Responsive technical support

There are quite a few ways of using ZAP–one of the most common being downloading and installing the desktop app on your computer, as well as through command line interfaces (CLIs) or docker images. This works well for an individual developer but for the development team SOOS makes ZAP a useful app sec tool that can inform the decisions automatically and earlier in the process. 

SOOS isn’t just for software developers, but designed for a wider group of stakeholders; the engineering, product management, security, and legal teams. You don’t need to be a certified pen tester to demystify application security. 

Make “secure by design” a reality today with SOOS’s easy-to-use and affordable software security tools.