"Burp has reduced my need for outside consultants"
Jennifer manages an eight-strong security team, working within a major financial services organization. The team’s skills are generalist in nature, and they perform a variety of audit-based work within the company. They do a small amount of hands-on web application testing, but Jennifer outsources most of this work to technical specialist consultants.
The team has recently found that Burp Scanner strongly complements their own basic testing skills. Using Burp Scanner, the team are able to take on more of the hands-on testing themselves. They can now find and fix a lot of common vulnerabilities earlier in the development lifecycle. Jennifer still uses external specialists for more difficult tests, but the scope of the outsourced work is smaller than it was previously.
Within a few weeks of using Burp Scanner, Jennifer’s consulting costs have fallen by around 15%. Her team is happy to be doing more hands-on testing, and developing their technical capabilities.
"Burp beats web scanners costing ten times the price"
Martin heads up an independent consultancy employing 15 penetration testers. Around half their work involves web application testing.
The consultants employ manual testing techniques, supported by an automated scanner to give them some back-up, especially on larger applications. Previously, the company has licensed a major commercial scanner, which met their needs adequately.
Martin and two of his team tried out Burp Scanner, and found that it is actually more effective at finding bugs than the other scanner. They also found it easier to use, and much more tailored to penetration testers, giving them direct control over, and feedback about, the scanning process.
Now the entire team is using Burp all the time. Martin didn’t renew the license for the other scanner, saving the company tens of thousands of dollars per year.
"Burp has made my job so much easier"
Robert is a highly experienced penetration tester, who has worked in the industry for nearly a decade. In the last few years, he has performed contract work for numerous companies, as well as working full-time for a couple of periods.
Robert prefers to maintain his own set of testing tools, mostly free and open source ones. He regards the big commercial products as too expensive and untrustworthy.
Following a friend’s recommendation, Robert gave Burp a try, and finds that it provides a very effective back-up to his manual methodology. He frequently uses Burp Intruder for automating custom attacks, such as fuzzing unusual input validation and exploiting vulnerabilities to harvest useful data from an application. He has recently found that Burp Scanner is able to identify numerous input-based bugs faster than he can find them manually, leaving him to focus his efforts on issues that require human intelligence to discover.
Robert thinks Burp is cheap, and he is happy to pay the subscription himself. He always recommends Burp to colleagues who haven’t yet discovered its benefits.
"Burp Suite Pro combines the best in automated and manual testing, freeing the tester from tedium while still fully utilizing their creativity. Unlike most other commercial tools, it follows the ‘force multiplier’ model and not the ‘brain replacement’ model. Burp is by far the best value in the webappsec tool market, and the gold standard for manual webapp review tools."
Steve Pinkham, Maven Security Consulting
"Burp Suite Pro is a key tool I use when testing web applications. I routinely use commercial automated tools costing orders of magnitude more money, and find that there is no substitute for the semi-automated scanning provided by Burp. Nothing comes close to Burp Intruder for probing and exploiting the depth of web vulnerabilities. Burp is a solid product at a reasonable price."
Albert School, Penetration Tester, Fortune 100 Firm
"Burp Suite Pro lets you achieve everything a penetration tester needs, in a smart way. Let Burp record, analyze or replay your web requests while you are browsing an application. Make Burp run dedicated and specific attacks against your target. Run Burp Scanner and be surprised by the low false positive rate for its high level of vulnerability detection."
"Burp is the best Heads-Up Display (HUD) for app hacking. Have you ever seen or played a video game with an HUD? That’s like Burp Suite Free Edition. Can you imagine a futuristic special forces paramilitary unit laying to waste their uninformed enemies using the strategic and tactical data coming into the displays on their helmets? That’s the power of Burp Suite Pro. Just add a hero."
"I cannot even imagine a web application pen-test without Burp Suite Pro. This amazing software is my first choice as it allows me to perform in-depth manual testing in a time-saving way. Moreover, using the IBurpExtender interface, I can also develop my own plugins to uncover even more bugs!"
Luca Carettoni, OWASP Italy
"Years before Burp Suite Pro existed I was telling people something like it should be built - then my prayers were answered. Burp has turned into one of the most powerful security testing tools available to skilled practitioners. It is easily portable, effective, and has a robust feature set. People always say: ‘I didn’t know Burp could do that’. This is no surprise, as Burp is constantly evolving to lead the pack."
Bob Harford, CEO, Penetration Testing Firm