Over the past six months, we've added a number of new features to Burp Suite Enterprise Edition. We're also pleased to announce that the software is now being used by 572 organizations, across 63 countries. In this blog post, we'll cover the following new features:
- Recorded login sequences.
- Browser-powered scanning.
- API vulnerability scanning.
- Single sign-on.
- API and integration improvements.
- Cloud-friendly deployment.
PortSwigger launched Burp Suite Enterprise Edition for general release in June 2019. Its mission? To enable large enterprises to scan their web estates at scale, and support them in achieving DevSecOps.
Since then, we've been listening carefully to our users. Based on this invaluable feedback, we've launched numerous releases - adding a wealth of new features. This has improved overall functionality, and taken Burp Suite's scanning capability to new levels.
If you trialled Burp Suite Enterprise Edition before, but found it was missing something you needed, or if you're currently evaluating automated web vulnerability scanners, then now's a really great time to try the latest version.
Recorded login sequences
A known - and painful - limitation to many automated web vulnerability scanners is the inability to authenticate to target web apps for scanning due to them having complex log in sequences. This is no longer a problem for users of Burp Suite Enterprise Edition.
You can now record log in sequences using a dedicated browser plugin. This information can then be passed through to Burp Suite - giving access to your application and allowing Burp Scanner to check for vulnerabilities. With the problem of complex log in sequences solved, you can truly scan it all, at scale! This is a huge boon for many of our users.
Burp Suite Enterprise Edition contains the same trusted Burp Scanner found in Burp Suite Professional - tried, tested, and trusted by over 51k users. Burp Scanner continued its long tradition of innovation this year - with the addition of browser-powered scanning.
Behind all our innovations stands considerable research and expertise. We've invested a great deal of time making browser-powered scanning reliable - and this is a continuous process. Browser-powered scanning is foundational to a number of Burp Scanner enhancements - including recorded logins - and in future, will allow further improvements in coverage for single page web apps.
API vulnerability scanning
APIs represent a huge attack surface for many organizations. Okta has previously cited Gartner in predicting that by 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise applications.
In line with our mission to help enterprises secure their entire web portfolios, PortSwigger plans to support the security testing of APIs and microservices.
November’s 2020.11 Burp Suite Enterprise Edition release includes the ability to scan both JSON and YAML-based APIs for vulnerabilities, supporting the OpenAPI (/Swagger) version 3 specification.
We will be expanding our support for enumerating API endpoints, so please let our team know your feedback and requirements.
Many enterprises use third party identity management and authentication services to control access to their applications.
Being able to centrally control user access simplifies IT infrastructure - ensuring that only authorized users can access restricted applications. In the case of Burp Suite Enterprise Edition, single sign-on enables our customers to efficiently roll-out control of automated vulnerability scans to stakeholders across their organization.
This functionality, combined with Burp Suite Enterprise Edition’s role-based access controls, ensures that reporting is available to permitted individuals.
July 2020's release brought with it the ability to configure an LDAP connection between Burp Suite Enterprise Edition and your Active Directory server. This was then expanded in October 2020, with support for SAML integration. This has been fully tested with:
- Active Directory Federation Services (ADFS).
- Azure Active Directory.
SAML integration will be of particular interest to Burp Suite Enterprise Edition users managing user authentication for cloud-based deployments.
API and integration improvements
Since launch, Burp Suite Enterprise Edition has had a REST API, to enable integration with other applications (e.g. CI/CD systems). To improve integration, in April 2020, we launched a GraphQL-based API, which exposes most of Burp Suite Enterprise Edition's core functionality.
You can use the new API to read and write most of the same data you can using the web UI. For example, you can now use the GraphQL API to:
- Create and edit sites.
- Schedule one-off and regular scans.
- Create and edit custom scan configurations.
- Add folders to your site tree.
- Get scan results and reports.
- Manage your pool of agent machines, including authorizing new agent machines.
There's a lot more we plan on doing to expand Burp Suite Enterprise Edition's API functionality. If you have a requirement that's not covered here, we'd love to hear from you to help shape our roadmap.
Organizations migrating to the cloud or starting out with a cloud-first mentality are looking for security solutions that fit into their cloud-based stacks. Those interested in cloud-hosted security can now deploy Burp Suite Enterprise Edition to the cloud.
We'd love to hear what you think
Ready to get started with Burp Suite Enterprise Edition, or perhaps you'd like to give it another try in light of the latest feature releases?