Customer case study

Andrej Šimko - Accenture

Burp Suite, professional services, and ballroom dancing.

Accenture logo

Introduction

Accenture's huge range of security services includes penetration testing, tailored attack services, adversary simulation, SDLC security, threat hunting, incident response, privileged access management, and security operations center (SOC) solutions. Its customers range from smaller companies to some of the world's largest brands.

Andrej Šimko is a security associate manager at Accenture. Based at its Cyber Fusion Center in Prague, Czech Republic, Andrej is part of Accenture's massive global cybersecurity service operation. As a Fortune 500 enterprise, with over half a million employees worldwide (some 6,000 of them working in security alone), Accenture is one of the world's largest providers of cybersecurity.

Key benefits

Andrej identified a number of key benefits Accenture gains by using Burp Suite Professional:

Burp Suite at Accenture

Andrej is an experienced user of PortSwigger software - having used Burp Suite Professional for well over half a decade at the time of writing. He tells us that when his colleagues first introduced him to Burp Suite, it was love at first sight. Or - as he puts it - it was "simply amazing".

While he's reached management level within Accenture, Andrej is still heavily involved with technical security. This means that he uses Burp Suite - including Burp Scanner - on a regular basis.

Many penetration testers love Burp Scanner for its ability to quickly find the latest web security vulnerabilities. Andrej is no exception here. He calls out PortSwigger Research's work as valuable to Accenture's ability to catch vulnerabilities that they can't with other tools.

Andrej finds OAST scanning with Burp Collaborator particularly useful. Burp Suite pioneered this technique - automating the process of looking for out-of-band security vulnerabilities. Along with Burp Suite's IAST capabilities, Andrej feels he's found the perfect combination for pentesting.

A varied profession

The road to a career in cybersecurity can be a winding one. This is something Andrej attests to. He knows infosec professionals with backgrounds ranging from fluid dynamics, right through to baking pizza. This makes Andrej slightly unusual in the industry. He holds a master's degree in Informatics in the field of Information Technology Security.

And the variation doesn't end there. Ask an AppSec person about their wider interests, and you'll often be in for a surprise. If Andrej has a passion in life other than security, it's ballroom dancing. Judging by his collection of medals, he's pretty good at it, too.

But Andrej is far from the only security professional out there who likes to waltz. At a recent dance event, he was recognized by a kindred spirit of sorts, by virtue of his Black Hat hoodie. Apparently, dancing is fairly common among cybersecurity folks.

ballroom-dancing-in-cybersecurity

Securing the SDLC

Working at Accenture, Andrej encounters many different types of customer use cases. A common thread for him here involves clients who want to shift their approach from applying security at the end of development, to ensuring that their software is written securely in the first place.

The latter approach - secure SDLC, or DevSecOps - is a burgeoning trend in cybersecurity. But Andrej is quick to point out that this isn't always easy. While newer, more reflexive organizations can generally make this shift without much hassle, larger operations with existing platforms will often find things more challenging.

Andrej mentions that scanning a large existing code base could quickly reveal hundreds of thousands of security vulnerabilities. Once such a veil is lifted, the organization concerned needs a viable plan to determine how it will bridge the gap. It's far from impossible, but it is a process that requires careful planning and consideration.

Useful features

We've already mentioned that Andrej is a big fan of the Burp Collaborator (OAST) and Burp Infiltrator (IAST) tools within Burp Suite Professional. But we were interested to find out the other features he and his team find the most useful for their work at Accenture.

As an advanced Burp Suite user, it's clear that Andrej likes to tweak settings. He calls out the ability to fine-tune Burp Suite's request workflow as being invaluable to his work. This allows him to carry out tests like properly analyzing multi-step operation, and adjusting CSRF tokens.

Andrej is also a fan of Burp Extender. There are over two dozen extensions that Andrej says he uses on an almost daily basis - and he also writes his own. He's particularly impressed with how this allows him to do almost everything he needs to directly from Burp Suite - without the need for Python scripting.

In the past, for instance, Andrej wrote a platform that created parameters for use in testing. This helped him to identify a large bug in the government application he was working on at the time. But nowadays, he says he would save effort by simply using the free Param Miner Burp extension.

Burp Suite has also been great for Andrej's profile. Every penetration tester likes getting a CVE with their name next to it, and Andrej is no exception here. In one case, after using Burp Infiltrator to identify some hidden SQL injection vulnerabilities, he gained not one, but two CVEs.

Accenture favorites

Andrej identified a number of Burp Suite features that are key to Accenture's work:

In summary

As you can see, Andrej is a true Burp Suite power user. He makes the effort to discover and use all functionality available to him. He strongly agreed with the following statements:

About Burp Suite Professional

Burp Suite Professional is an advanced set of tools for testing web security - all within a single product. From a basic intercepting proxy to a cutting-edge vulnerability scanner, with Burp Suite Pro, the right tool is never more than a click away.