Get involved in the Burp challenge for opportunities to test your skills and win swag  –   Challenge me

Customer case study

BDO AS

Manual web application security testing with Burp Suite Professional.

BDO-AS logo

Introduction

BDO's Norwegian division has around 1,700 employees across more than 70 offices throughout the country. Internationally, BDO counts close to 70,000 employees across 167 countries. Their client base ranges from large international firms to small and medium-sized enterprises, in both the public and private sectors.

Håkon Lønmo is Head of Penetration Testing for BDO in Norway. He leads a red team of seven ethical hackers, each of whom have their own distinct skillset. Just like Håkon, they all took very different paths into their current careers - allowing clients to benefit from their expertise and extensive experience of delivering cybersecurity in a range of sectors.

Key benefits

Håkon identified some key benefits BDO gains by using Burp Suite Professional:

Cybersecurity at BDO

Håkon's team spend around half of their working hours performing broad penetration tests or red team engagements. They work closely with the organization's blue team, who perform continuous security monitoring and incident response. Håkon's red team spends the other half of their time on extensive application testing, as BDO's clients need to test the security of applications they're developing, or want assurance on the use of third-party applications.

The challenges

As a service provider, Håkon and his team are never short of applications to test. This places high priority on the efficiency of testing. Due to the extensive client-base, the application testing requirements are varied, and any tools used by the team need to be flexible and adaptable.

Additionally, in order to provide risk assurance and business security to his clients, Håkon needs to ensure that he is providing his team with access to the latest in security research. Ongoing training and development is integral in order to understand the latest bugs and attack vectors, and how to then protect clients from these most effectively.

The solution

Håkon finds that Burp Suite's site map feature gives a great overview of an application's structure, allowing his team to get a clear understanding of where to target. They also find the Burp Repeater and Burp Proxy modules to be practical tools, for quick testing of manual intervention or manipulation of parameters.

He talks about the growing complexity of web applications, including container-based architecture and APIs. Utilizing tools with extensive flexibility has been beneficial here, due to additional exposure from mobile applications and third-party integrations.

The benefits

BDO's Norwegian division found that by using Burp Suite Professional as their main tool for manual web application testing, they were able to provide a number of benefits to their customers and clients. By sharing the latest research and attack vectors from PortSwigger Research with his team, Håkon is able to provide well-informed security assurance to BDO's customers. Burp Suite's advanced automated tools, including Burp Intruder for customization, speed up their penetration testing. This allows Håkon's team to perform their jobs more effectively, and thus provide a much more efficient client service.

The early years

Since he was a boy, Håkon has had an interest in the inner workings of computer programs. He worked with his father, a software engineer, to translate classic 80s game Castle Adventure into his native Norwegian, using only a simple hex editor. In the late 90s, he learned microchip programming with a group of friends, using 8-bit assembly. As a young adult he served in the navy, and spent several years on a submarine operating torpedoes and sonars. It was this pivotal step that later led him into a career in cybersecurity.

Castle Adventure game screenshot in Norwegian

Looking to the future

To make sure that BDO Norway is always offering the best service possible to their clients, Håkon often finds himself considering the future of web security and the challenges it will bring. The recent developments in movement of applications to the cloud brings him little concern, as he feels that the underlying technology remains fundamentally the same when it comes to testing.

Håkon believes that due to the more abstract infrastructure of modern systems, his team will be testing for less web-based infrastructure breaches, and more API-based data leaks in the future. He also sees a shift toward more continuous testing, due to dynamic environments and rapid deployments of code. He finds flexibility in web security tools and methods important, in order to adapt to the advanced complexity of different applications and testing requirements.

About Burp Suite Professional

Burp Suite Professional is an advanced set of tools for testing web security - all within a single product. From a basic intercepting proxy to a cutting-edge vulnerability scanner, with Burp Suite Pro, the right tool is never more than a click away.