Success Stories on ZAP

Jit

Fri, 24 Feb 2023 00:00:00 +0000

ZAP has changed the adoption of security across the industry, enabling any organization to have better web application security through open source tooling. That is why after research and benchmarking Jit selected ZAP to be a critical tool in its DevSecOps orchestration platform. As a best of breed OSS DAST tool (dynamic application security testing), it provides development teams with the confidence in their application and API security, enabling them to deploy code at the velocity modern engineering organizations require.

Mozilla

Wed, 14 Apr 2021 00:00:00 +0000

ZAP is integral to how Mozilla secures the services powering core Firefox features including Accounts, Addons, and Sync for millions of individuals around the world. We support the open source development of ZAP, because it helps us ensure the security and privacy of our users keeping the Internet a global, public resource open and accessible to all.

SkypLabs

Wed, 07 May 2025 00:00:00 +0000

SkypLabs is an Ireland-based company providing a wide range of IT services globally, including security reviews and penetration testing. Created in 2021, we have since worked with many different organisations to help them build and secure their work.

ZAP is our main tool when conducting web application penetration tests, and we also use it when analysing the web trafic of desktop and mobile applications. Besides its versatility and unique features compared to competitors, as being a company focusing on open-source and user-respecting software, we love being able to contribute to projects that share our values. We have, for instance, added the possibility to probe and parse .DS_Store files to automatically discover new resources on a website with kingthorin’s help, and the ability of searching into notes (that we use a lot during security engagements).

Possible Security

Wed, 30 Apr 2025 00:00:00 +0000

At Possible Security, we deliver specialized, expert-driven cybersecurity services to high-profile clients across industries. Our focus areas include penetration testing, red teaming, premium audits, and consulting. Based in Riga – the capital of Latvia and the jewel of Northern Europe – we are one of the few market leaders in the field – serving government institutions, critical infrastructure providers, and private sector clients with complex security needs.

Lombiq

Wed, 06 Dec 2023 00:00:00 +0000

ZAP now automatically scans our ASP.NET Core apps for each code change, and we couldn’t be happier with it.

We at Lombiq provide development, training, hosting, and consulting services for open source .NET-based technologies like the ASP.NET Core web CMS and framework Orchard Core. Our clients include Live Nation Clubs and Theaters, the Smithsonian Institution, and Microsoft itself.

Clue Security Services AG

Wed, 21 Jun 2023 00:00:00 +0000

The ZAP tool is a significant asset to Clue, as it is utilized on a daily basis by our security engineers. For the efficient design of a resilient WAF security policy, it is vital to reverse engineer the data flow of an application. ZAP offers an easy way to make the data flow transparent, to visualize the attack surface, and to develop tailor-made policies to minimize it. ZAP is also regularly used in application security consulting. Whether it is to develop and demonstrate a proof of concept for a found code vulnerability, to test an implemented application security function or just to have a function report which is used for threat modeling of an existing function. It is a pleasure to work with ZAP, which we use as a multi-tool for a variety of tasks related to application security.

Codific

Wed, 05 Jan 2022 00:00:00 +0000

Codific is a developer of secure collaboration tools in Ed Tech, MedTech and HR Tech. Our team of software engineers leverages privacy by design and security by design principles to maximize the security of the applications and the privacy of its users.

Codific leverages a security assurance programme for all product development lifecycle. There are many Application Security programmes out there with OWASP SAMM being by far the simplest of them. SAMM consists of 15 security practices with Secure Deployment and Security Testing amongst them. Both security practices in their higher maturity levels require the use of a dynamic application security testing (DAST) integrated in the CI/CD pipeline. After a time-boxed research into a number of DAST tools we have selected ZAP as our weapon of choice.

we45 and AppSecEngineer

Wed, 11 Aug 2021 00:00:00 +0000

We at we45 and our training venture, AppSecEngineer use and train on ZAP extensively. We strongly believe ZAP to be the most programmable DAST tool in its class, regardless of commercial or OSS alternatives.

One of the things we do with our clients is to implement continuous DAST scanning as part of their DevSecOps initiatives. Many of our clients run a bevy of automated scans on a periodic basis, triggered through CI tooling with ZAP as the tool. For some of those that have End-to-End Test Automation Scripts with Selenium, Cypress, etc, we set up ZAP to be able to run authenticated, completely automated scanning, which is something we find unique in the DAST space

Orange Business Services

Wed, 21 Jul 2021 00:00:00 +0000

At OBS, we strive continually to bring our customers peace of mind with strengthened and reinforced application security.

As part of automating our web application and API security, we chose to deploy ZAP as one of our Dynamic Application Security Testing (DAST) technologies. This DevSecOps approach helps our developers and engineering teams to detect vulnerabilities, including the OWASP Top Ten Web and API, in CI/CD pipelines before releasing our solutions.

Banzai Cloud

Wed, 14 Apr 2021 00:00:00 +0000

At Banzai Cloud we use our dast-operator which leverages ZAP to run baseline scans against the services we deploy on the K8S cluster. This operator deploys ZAP to the K8S cluster and initiates automated security testing for web applications and APIs based on OpenAPI definitions. Besides the operator responsible for starting the scan against a service, it can prevent opening a vulnerable service to outside. The prevention mechanism is based on the built-in admission controller which is watching the ingress resources. The admission controller checks the backend services of the ingress and makes a decision depending on the result of the ZAP scans.

Motorola Solutions

Wed, 14 Apr 2021 00:00:00 +0000

Motorola Solutions follows S-SDLC (secure software development lifecycle) best practices for our product development. Similarly, these best practices can be found in another OWASP project, the Software Assurance Maturity Model. We build our software development approach on the OWASP SAMM, to ensure delivery of secure products, from architecture design to the deployment in our own or customer’s infrastructure.