We launched the Burp Suite Certified Practitioner (BSCP) certification at the end of 2021 due to growing demand from Burp Suite Professional customers. Spanning everything from classic vulnerability classes to cutting-edge discoveries – including some from PortSwigger Research themselves – the BSCP provides a realistic, black-box environment to test and hone both old and new skills.
The team at Packetlabs - a Canada-based company - exclusively use Burp Suite Professional for their web application penetration testing. We recently spoke with Denis Kucinic, VP of Operations at Packetlabs, to find out how he's incorporated the BSCP into his organization.
As an organization that prides itself on its advanced testing capabilities, Packetlabs places high priority on finding the best talent. They provide pentesting services, or ethical hacking as it's also known, and follow what Denis calls "the hedgehog model".
"You just do one thing, and you do it really well, rather than doing multiple things and not doing any of them well."
Packetlabs is a growing organization, and as such has recently had to place more focus on hiring. Denis talks about struggling to know what someone is capable of in a 45-minute interview, running test challenges, and not wanting to pigeonhole people into just the vulnerabilities the challenge dealt with. He's also trying to strike the balance between whether a candidate can explain something versus actually being able to put it into action.
Emma S (PortSwigger): So Denis, could you talk us through some of the challenges you have experienced in finding top level talent to be able to provide the service that you do at Packetlabs?
Denis K (Packetlabs Ltd): I'd say 70% of our work is web, so whether it's compliance, red teaming, or straight up testing, how do we decide who really knows their stuff? We implemented an extensive training program. It started out with the Web Application Hacker's Handbook - we would say, go through that. We have our own testing methodology, which is aligned with what each tester has to go through on a web app.
Then PortSwigger launched the Web Security Academy, and we noticed that the testers who went through it had a really good time. They'd be learning a lot of different attacks, and how to move around on a web app - they were understanding the different types of attacks and what they saw on the scanner.
"How do you rule out something that's a false positive? How? You keep going until you figure out if it actually is or not. And that's always a challenge."
After seeing the positive impact the Web Security Academy had on his testers, Denis and the team implemented a ranking system. Focusing on infrastructure and core web testing, they were able to get a comprehensive measure of a testers' capabilities simply by seeing their progress through the topics, learning materials, and labs.
Emma S (PortSwigger): And then we went and launched the BSCP …
Denis K (Packetlabs): That's right, and we were so excited - we added it to our hiring checklist straight away. For anyone new that came in, we said, okay, here's the salary that we bring you in on without the BSCP; Here's the salary if you get it.
"For every new hire now, we say get Burp Suite certified because we just find the value in it really shows in those testers that got it. You can just tell the difference from the ones that started on day one that didn't have the Burp Suite cert."
Emma S (PortSwigger): Can you share any thoughts about your experience of the BSCP?
Denis K (Packetlabs): It's like an emotional rollercoaster because it's high pressure. You have a certain amount of hours - similar to the OSCP, but it's even more pressure - which is really lifelike because sometimes you do have environments where you only have a couple of hours left and you have to go in there. You have to use Burp Scanner, see what shows up, and then you have to validate it. You have x amount of hours to do it. I like the urgency of it and the difficulty of it. I think that's really realistic to real-world scenarios.
I hate rollercoasters but that's what this is like. You're going up and you're like, oh, this is great, and then you're going down and you're like, oh no, I'm not as good as I thought I was. And then you're like, oh, I'm great.
"There's nothing really out there right now that we've seen that is on the same level as the Burp Suite cert. It's all just question and answer - it's very static and it's not the same. It's not well-rounded, right? You only have a couple of things to go through, whereas this [Burp Suite cert] is covering the whole gamut."
After seeing the difference in testers that had gone through the Burp Suite certification, Denis and the team decided to incorporate it into their internal certification bounty program. The majority of the work they do at Packetlabs is focused on the web. This means that their certification bounty program pays testers higher bounty bonuses if they have (or are working toward) web-focused certifications - the Burp Suite Certified Practitioner cert is top of the list.
"We look at OSCP for the infrastructure, and then we look at the Burp Suite cert for the web. If we're looking to hire someone more on the web side, we'll basically not consider the OSCP as much anymore because we see the Burp Suite cert as the web equivalent."
Emma S (PortSwigger): Are you able to give any examples of the kind of differences you've seen in testers that have gone through the BSCP?
Denis K (Packetlabs): Yeah so you would usually see something basic like HTTP request smuggling or something like that. And your tester is like okay, yeah, I can inject another piece of payload into something, or get something that way, but you never see it go any further.
What we've seen is that you can tell the ethical hackers that have the BSCP because they can chain multiple vulnerabilities together. And they don't just stop at, oh, here, I smuggled something. They're thinking about what they could do with it, and where they can go next. It was just like a bizarre chain of events where even our clients were flabbergasted because they were having tests done by other vendors, and even their internal pen test teams, and they weren't getting the findings that our BSCP certified testers were.
"We've seen instances of Oracle padding, which was the first time I've seen this, and this was from a Burp Suite certified tester. He was doing Oracle padding vulnerabilities, which is like something you just see in the books, and he was actually exploiting it and showing proof of impact. That's all just credit to going further and having the skillset because if you don't have the skillset, there's no way you can figure any of that stuff out."
Having seen the success that Denis and the rest of the team at Packetlabs have had with their certification bounty program, and the focus they've placed on training and development for their testers, we wanted to see what advice they had to share with the rest of the Burp Suite community.
Emma S (PortSwigger): Based on the feedback you've had from your testers, are there any thoughts you'd like to share about the certification?
Denis K (Packetlabs): When I first heard about the BSCP, and the time required for it, I was like, oh man, that's a lot of challenges for only a specific amount of time, right? It's a small window, you know, there's a lot of stuff to know. But then when you think about it, in the real world you don't really have a lot of time either.
Emma S (PortSwigger): Have any of your testers who've gone through it got any advice that you think would be worthwhile sharing with people thinking about attempting it in the future?
Denis K (Packetlabs): I think going through every single challenge would be the big thing. But even when you do, I don't think there's any way to prepare for that. I don't think there's any real way to do it unless you have experienced it. So go into it, you know, [with] the first attempt as an experiment. Don't feel bad if you don't get on the first go because it's an experience in itself, like an emotional rollercoaster. So you have to kind of experience it first, and then you wanna go on the rollercoaster again. When you go through it, you'll figure out the complexity of it and how you need to chain things together.
"We've had a couple of our testers take it a few times and every single time they come back and they're like, oh, I learned something new. It goes back to the mindset, how you approach things, and embracing the discomfort because if you don't embrace it then you won't keep challenging yourself."
Emma S (PortSwigger): Any final thoughts you'd like to share?
Denis K (Packetlabs): Honestly, I'm speaking the truth, I really do love the Burp Suite cert. It really is a great certificate and I'm glad that it's out there. I just think it's gonna take a little bit of time to get mainstream with pen testers.
If you're interested in learning more about the Burp Suite Certified Practitioner certification, and how it could support testers at your organization, please get in touch with us.