ZAP vs. StackHawk:
Dynamic Application Security
Testing Tool Comparison

ryan-severns

Ryan Severns|March 12, 2021

Interested in the differences between open-source ZAP and StackHawk, an application security product built on ZAP? The comparison below walks through how the two tools stack up.

When it comes to dynamic application security testing (DAST), ZAP is the industry standard. As an open-source tool, it has developed significant popularity among security teams, penetration testers, and engineering teams alike. Teams at some of today’s leading software companies rely on ZAP as their dynamic AppSec testing solution. In short, when it comes to a DAST scanner, it is tough to beat ZAP. 

If you want to scale application and API security across a software team, however, there are benefits of using software built on top of ZAP. StackHawk is the leading dynamic application security testing tool for modern engineering teams. Built on top of ZAP, StackHawk takes the power of ZAP’s scanning and makes it simple to automate and scale throughout engineering.

tl;dr: StackHawk vs. ZAP

Below is a quick teardown of ZAP vs. StackHawk 👇. Be sure to read on for more details!

Feature
DAST SCANNER
Trusted Open Source ZAP ScannerSupported by Stackhawk
Server-side HTML Application TestingSupported by Stackhawk
Single Page Application TestingSupported by Stackhawk
REST API TestingSupported by Stackhawk
GraphQL TestingSupported by Stackhawk
Technology Flags for Scan Speed and Reduce False PositivesSupported by Stackhawk
Optimizations for Scanner PerformanceSupported by Stackhawk
CI/CD AUTOMATION
Configuration as CodeSupported by Stackhawk
Findings Triage and State ManagementSupported by Stackhawk
Finding History and DocumentationSupported by Stackhawk
Docker Based Scanner to Scan AnywhereSupported by Stackhawk
Desktop Application for Manual TestingSupported by Stackhawk
TESTING EXPERIENCE
Developer-First Web ApplicationSupported by Stackhawk
Simplified Fixes with Docs and cURL Command GenerationSupported by Stackhawk
Integrations with Other Engineering ToolsSupported by Stackhawk
Automated Authenticated ScanningSupported by Stackhawk
OpenAPI Spec Integration for API TestingSupported by Stackhawk

Key Differences Between ZAP and StackHawk

DAST Scanner Comparison 

When using StackHawk for application security testing, the scans that are run are ultimately simply running ZAP. You can ensure that you have a trusted scanner with an ever improving suite of security tests. In addition to that, however, StackHawk provides a few key benefits:

  • Technology Flags for Scan Scoping: When configuring an application for scanning in StackHawk, you can select the underlying technologies used within the application. This ensures that the scanner only runs tests that are relevant for your application architecture, reducing scan times and false positives.

  • Scanner Performance: As big believers in automated DAST in CI/CD, StackHawk knows that your security tests must be highly performant. StackHawk has optimized ZAP’s performance to ensure that tests run quickly and successfully every time.

Automating DAST in CI/CD

zap-vs-stackhawk-comparison-img-3 image

The fact that application security is shifting left is widely accepted. Gone are the days of scheduled scans or reliance on periodic penetration testing. Modern software teams know that application security testing must be automated in CI/CD.

ZAP is built for automation, and StackHawk makes it simple to automate at scale. Below are the key benefits that automation with StackHawk provides:

  • Configuration as Code: StackHawk is configured via a YAML file, which means that your security testing can have the same version control you already rely on. Plus, with YAML overlays, it is simple to leverage shared configuration across multiple test environments.

  • Finding Triage to Manage Findings: When your scan finds a potential vulnerability, you have the choice of fixing it at that moment or putting it in a triaged state within the StackHawk platform. When you send a finding to your issue tracking tool such as Jira, or mark it with a status such as Risk Accepted, the scanner will no longer break the build for that particular finding.

  • Finding History and Documentation: With StackHawk, you have a simple interface to review scan history, finding history, and documentation of selected actions. This allows security teams to maintain visibility while scaling application security.

  • Managed Docker Deployment to Scan Anywhere: StackHawk is deployed via Docker, which makes it simple to scan your application, regardless of where it is running. 

  • Authenticated Scanning: Running automated, authenticated scans is simple with StackHawk. We support cookie-based, bearer-token, and external token auth. Check out our authentication docs or chat with our support team for more information.

Developer Experience for Scaling AppSec

zap-vs-stackhawk-comparison-img-4 image

Scaling application security and shifting left require developer involvement in the application security testing process. With modern DevOps (or DevSecOps) pipelines, a developer is alerted with a broken build if their latest changes don’t pass unit tests or integration tests. Security should be no different.

A key difference between ZAP and StackHawk is the developer experience when a potential vulnerability is identified. StackHawk makes it simple to roll out application security testing across the engineering organization, resulting in shorter time to fix and increased ability to deliver secure applications and APIs.

  • Platform User Experience: StackHawk is a developer-first application security testing tool. The StackHawk UI equips engineers and security professionals alike with the ability to quickly grok a finding with vulnerability overviews, links to fix documentation, and the request / response evidence for the vulnerability.

  • Fixes Simplified with Docs and cURL Commands: As with any bug, security vulnerabilities are easiest to fix when the developer is in the context of the code they were just working on. With StackHawk, a developer is alerted when a new potential vulnerability is found. Then, the platform provides fix documentation, the request / response evidence of the finding, and a cURL command generator to recreate the same request. 

  • Engineering Workflow Integrations: StackHawk provides integrations with other engineering tools, such as Jira, Datadog, Slack and more. By tying into tooling the engineering team already uses, scaling application security has never been easier.

Building vs. Buying Your AppSec Tools

With the ZAP open source scanner at the core of StackHawk, it is no secret that your team could technically accomplish the same testing without purchasing StackHawk. Ultimately, it comes down to whether you want to devote time and resources to building functionality around ZAP to automate and scale the application security testing or if you would prefer to implement a tool that has already done this for you.

With StackHawk, you can leverage the power of ZAP with a rich suite of functionality built around it. Not only that, but StackHawk has a highly responsive support team to help any issues that you may encounter.

Find and Fix Security Vulnerabilities

Conclusion

ZAP is an excellent application security testing tool (which is why we chose to build on top of it here at StackHawk!). We’re obviously biased, but there are significant benefits of using a tool like StackHawk for your application security testing. You get the same trusted and powerful scanner either way. On top of that, StackHawk simplifies the process of automating scans and provides a rich user experience.

So go ahead – get started with a StackHawk trial or free account today.


Ryan Severns  |  March 12, 2021