Burp Heroes

Håkon Lønmo - BDO AS, Norway

Case study: Manual web application security testing using Burp Suite.

Introduction

Håkon Lønmo is Head of Penetration Testing for BDO in Norway. He leads a red team of seven ethical hackers, each of whom have their own distinct skillset. Just like Håkon, they all took very different paths into their current careers - allowing clients to benefit from their expertise and extensive experience of delivering cybersecurity in a range of sectors.

BDO's Norwegian division has around 1,700 employees across more than 70 offices throughout the country. Internationally, BDO counts close to 70,000 employees across 167 countries. Their client base ranges from large international firms to small and medium-sized enterprises, in both the public and private sectors.

Key benefits

Håkon identified some key benefits BDO gains by using Burp Suite Professional:

Blockquote

When I started to learn web security, I engaged with different hacking challenges on forums. Burp Suite emerged to me as an invaluable tool to get under the hood with web applications. As OllyDbg was the standard for binary analysis and Wireshark was the standard for network analysis, Burp Community Edition was the entry level tool for breaking web applications.

BDO logo

Håkon Lønmo

Head of Penetration Testing

Cybersecurity at BDO

Håkon's team spend around half of their working hours performing broad penetration tests or red team engagements. They work closely with the organization's blue team, who perform continuous security monitoring and incident response. Håkon's red team spends the other half of their time on extensive application testing, as BDO's clients need to test the security of applications they're developing, or want assurance on the use of third-party applications.

Blockquote

By dealing with real incidents, we constantly keep our testing and advice up to date with the latest threats. And our red team gets to challenge our blue team with new attack vectors and techniques, so that detection can be improved.

BDO logo

Håkon Lønmo

Head of Penetration Testing

The challenges

As a service provider, Håkon and his team are never short of applications to test. This places high priority on the efficiency of testing. Due to the extensive client-base, the application testing requirements are varied, and any tools used by the team need to be flexible and adaptable.

Additionally, in order to provide risk assurance and business security to his clients, Håkon needs to ensure that he is providing his team with access to the latest in security research. Ongoing training and development is integral in order to understand the latest bugs and attack vectors, and how to then protect clients from these most effectively.

Blockquote

Burp Suite Professional is our main tool for all manual web application testing. The Intruder module makes it easy to automate fuzz testing of different input parameters. I've also used it successfully for brute-forcing usernames or object references.

BDO logo

Håkon Lønmo

Head of Penetration Testing

The solution

Håkon finds that Burp Suite's site map feature gives a great overview of an application's structure, allowing his team to get a clear understanding of where to target. They also find the Burp Repeater and Burp Proxy modules to be practical tools, for quick testing of manual intervention or manipulation of parameters.

He talks about the growing complexity of web applications, including container-based architecture and APIs. Utilizing tools with extensive flexibility has been beneficial here, due to additional exposure from mobile applications and third-party integrations.

Blockquote

Another great thing about Burp Suite is all the available extensions. And if some functionality is not there already, you can always create an extension for it.

BDO logo

Håkon Lønmo

Head of Penetration Testing

The benefits

BDO's Norwegian division found that by using Burp Suite Professional as their main tool for manual web application testing, they were able to provide a number of benefits to their customers and clients. By sharing the latest research and attack vectors from PortSwigger Research with his team, Håkon is able to provide well-informed security assurance to BDO's customers. Burp Suite's advanced automated tools, including Burp Intruder for customization, speed up their penetration testing. This allows Håkon's team to perform their jobs more effectively, and thus provide a much more efficient client service.

The early years

Since he was a boy, Håkon has had an interest in the inner workings of computer programs. He worked with his father, a software engineer, to translate classic 80s game Castle Adventure into his native Norwegian, using only a simple hex editor. In the late 90s, he learned microchip programming with a group of friends, using 8-bit assembly. As a young adult he served in the navy, and spent several years on a submarine operating torpedoes and sonars. It was this pivotal step that later led him into a career in cybersecurity.

Castle Adventure game screenshot in Norwegian

Blockquote

Over time, the civil and private sectors have matured, but still the threat actors are always ahead in my opinion. They have the advantage of picking when and where to strike.

BDO logo

Håkon Lønmo

Head of Penetration Testing

Looking to the future

To make sure that BDO Norway is always offering the best service possible to their clients, Håkon often finds himself considering the future of web security and the challenges it will bring. The recent developments in movement of applications to the cloud brings him little concern, as he feels that the underlying technology remains fundamentally the same when it comes to testing.

Håkon believes that due to the more abstract infrastructure of modern systems, his team will be testing for less web-based infrastructure breaches, and more API-based data leaks in the future. He also sees a shift toward more continuous testing, due to dynamic environments and rapid deployments of code. He finds flexibility in web security tools and methods important, in order to adapt to the advanced complexity of different applications and testing requirements.

Blockquote

Resources like PortSwigger Research and the Web Security Academy mean PortSwigger are the experts I'd recommend to anyone wanting to improve their application security.

BDO logo

Håkon Lønmo

Head of Penetration Testing

About Burp Suite Professional

Burp Suite Professional is an advanced set of tools for testing web security - all within a single product. From a basic intercepting proxy to a cutting-edge vulnerability scanner, with Burp Suite Pro, the right tool is never more than a click away.