Black Hat

SOOS @ Black Hat USA 2022
August 9-11 | Booth #IC58

ZAP vs. SOOS: Dynamic Application Security Testing Tool Comparison

OWASP’s ZAP is a free, open-source DAST scanner widely used by security professionals around the world to find web application vulnerabilities. SOOS’s DAST scanning abilities are built on ZAP’s foundations, but with added features that makes automated DAST scanning an affordable and seamless part of your software development cycle.

The OWASP organization’s ZAP (Zed Attack Proxy) tool is far and wide the most widely used and respected open source Dynamic Application Security Testing (DAST) tool. It scans your web applications by navigating through your pages and their states, gathering data and running tests that simulate the real time attacks of a hacker. Some of the most dangerous vulnerabilities out there–cross-site scripting, SQL injection, and other forms of remote code execution–can be found using ZAP, including the recently disclosed Spring4Shell vulnerability. These are the security flaws that cost businesses billions in lost revenue as their assets are stolen, leaked, or held for ransom. ZAP is continually evolving, with contributions from a widespread community of users and engineers.

tl;dr SOOS vs ZAP: SOOS automates, integrates, and disseminates DAST, simplifying and shifting AppSec left.


Feature zap logo soos


HTML App DAST Tests soos logo
Single Page App DAST Tests soos logo
Incorporates Industry-Standard Open Source ZAP Scanner soos logo
Includes Leading SCA Vulnerability Scanner (>12 languages/packages) soos logo
REST API & SOAP Testing soos logo
GraphQL Testing soos logo
Vulnerability Scans for Known CVEs in OSS Packages soos logo
Open Source License Management soos logo
SBOM Generation with Vulnerability Data soos logo


Integration Helpers for Leading CI/CD Systems soos logo
Fix Management with GitHub Issues or Jira soos logo
Auto Scanning on Build/Branch Changes soos logo
Script Configurations soos logo
Vulnerability Remediation Management and Triage Documentation soos logo
Full Scan History soos logo
Push Scan Results to GitHub Security Panel soos logo
SARIF Output Support soos logo
RKVST SBOM Hub Integration soos logo


Easy Branch Setup and Configurations soos logo
OpenAPI Integration for API Testing soos logo
Robust Scan Information Pushed to Build Output soos logo
Role-Based Dashboard for Engineering/Legal/Security Viewers soos logo
Support soos logo
Easy Setup soos logo

There are quite a few ways of using ZAP–one of the most common being downloading and installing the desktop app on your computer, as well as through command line interfaces (CLIs) or docker images. However, all of that is how one individual might install and deploy ZAP–the question is, how does this become a useful app sec tool that can inform the decisions not just of software developers, but of the disparate group of stakeholders, from engineering to product management to legal? Not everyone needs to be a certified pen tester, but demystifying application security as broadly as possible brings the whole “secure by design” ideal just a smidge closer to reality.

SOOS’s integrated DAST scanning is built on top of ZAP’s fantastic open source tools, but includes full integration capabilities to make using ZAP easy and automatic for the engineering team. SOOS DAST scan can be seamlessly integrated into your CI/CD systems, allowing you to make it fully part of your DevSecOps pipeline. This means that when product and branch builds are completed you can kick off an automatic DAST scan and break a build or notify the engineering team of any issues.

As awesome as ZAP is, being an open source project means that it’s supported by a team that is (mostly) volunteers, and while they crank out great features, there isn’t traditional tech support. Most commercial DAST options often charge by the seat (user), or by the scan, or even by the number of endpoints being tested, and end up costing thousands of dollars per month, and often with substantial limitations on concurrent scans and usage-growth potential.  SOOS removes these limitations and also includes our core Software Compositional Analysis (SCA) scanning tool, with no seat limits and no concurrent scan limits.  Check out a demo of our DAST product here. 

DAST Screenshot

Key differences between SOOS DAST and ZAP:

  • SOOS DAST includes SOOS’s world-class SCA tool
  • CI/CD integration with popular platforms such as Jenkins, CircleCI, TeamCity, Azure DevOps, GitHub, GitLab, and more 
  • Issue management—native Jira or GitHub Issues support for tracking
  • Includes unlimited Software Composition Analysis scans
  • Graphical scan history for auditing and research
  • Reporting, including SBOM generation
  • Rich web vulnerability dashboard consolidates DAST & SCA scan results
  • Configurable user access levels allow your whole team to access the web dashboard while maintaining “least privilege” principles
  • Robust advisory information and security recommendations
  • Responsive technical support

There are quite a few ways of using ZAP–one of the most common being downloading and installing the desktop app on your computer, as well as through command line interfaces (CLIs) or docker images. This works well for an individual developer but for the development team SOOS makes ZAP a useful app sec tool that can inform the decisions automatically and earlier in the process. 

SOOS isn’t just for software developers, but designed for a wider group of stakeholders; the engineering, product management, security, and legal teams. You don’t need to be a certified pen tester to demystify application security. 

Make “secure by design” a reality today with SOOS’s easy-to-use and affordable software security tools. 

Copyright © 2022 SOOS| Terms of Service | Privacy Policy