PortSwigginar – June 22 | Blog

Thanks to those who attended our recent PortSwigginar on Burp Suite Enterprise Edition.

Below is the video of the session, which included:

  • A recap on “what’s new” in the product for those who haven’t checked it out in a while.
  • How Burp Suite Professional and Burp Suite Enterprise Edition work together.
  • Understand our licensing model and pricing.
  • An overview of our deployment options.
  • How to quickly set up a site and run a scan.
  • CI/CD integrations, including launching analysis from a Jenkins pipeline.
  • Sneak peek of our 2022 roadmap!

Watch the video here: “What’s new in Burp Suite Enterprise Edition?

How can I join the next PortSwigginar?

Didn’t have the chance to attend the last one? No worries at all – we have our next PortSwigginar on July 13th at 11:00am EST. Please use this link to register – we look forward to seeing you there!

Finally, we had some fantastic questions from attendees, so we wanted to share the answers below for the benefit of anyone who missed out.

Questions from our audience

Do you have any information on how Burp Suite Enterprise Edition handles authenticated scans?

Adding authentication for your sites is detailed here.

Do you have an integration for Azure Devops as an issue tracker?

Azure DevOps is not a currently supported integration for issue tracking. We plan to add more integrations, with GitHub currently in development.

Does Burp Suite Enterprise Edition have an isolated on-premises “dark” enterprise API that integrates with other SecDevOps tools in the CI/CD pipeline?

Although CICD integration is supported with Burp Suite Enterprise, offline activation is not supported. We plan to expand CICD functionality in the future, so please contact us again.

If Burp Suite Enterprise Edition allows activation in the “dark”, how does the licensing process work in this case?

Offline activation is not supported for Burp Suite Enterprise Edition, connection to portswigger.net via port 443 is required for license activation. You can review our network and firewall requirements here.

Can Kubernetes be deployed in AWS Fargate?

Yes, AWS Fargate is supported.

Does Burp Suite Enterprise Edition provide testing and functionality specifically for serverless functions, similar to AWS Lambda, Microsoft Azure Functions, or Google Cloud Functions?

There are no tests and features specific to serverless functions, but you may be able to create a custom extension to meet your needs.

Do you provide sample infrastructure in code form (e.g. terraform or cloudformation) for easy deployment?

Our reference architecture template uses CloudFormation and can be found on our public GitHub. The link is in our Kubernetes documentation here. We may provide examples for other platforms in the future.

What is the Burp Suite Enterprise Edition license?

Burp Suite Enterprise Edition is licensed on concurrent scans. We don’t limit you to the number of apps, domains, URLs, users or anything else – only concurrency analysis. Unlike most automated web vulnerability scanners, Burp Suite Enterprise Edition scans can be assigned and reassigned across any website, application, or URL.

Does Burp Suite Enterprise Edition support Okta for RBAC?

We support SSO (SAML and LDAP) integration that works with Okta. In this case, user permissions are managed on the identity provider side. We also support a SCIM integration that can be used with SSO integration to manage user permissions in Burp Suite Enterprise.

Are there plans for a fully hosted SaaS/PaaS solution?

There are no immediate plans but it is under consideration. Currently, the solution is deployed in your own infrastructure.

Does Burp Suite Enterprise Edition have the ability to save an application walkthrough (i.e. as a HAR file) to save the page sequence and specific test data that can be needed to successfully test the entire application? Similar to saved login, but for the entire application?

The automated analyzer currently handles exploration and target mapping automatically. We are looking to add features such as Selenium or Puppeteer driven exploration in the future. This would allow setting a specific path in the application or navigating and filling out more complex multi-step forms with defined steps.

Is it possible to use multiple credential profiles?

Yes, multiple sets of application login credentials can be defined for a scan.

Is there programmatic authentication support for non-UI APIs/applications like Auth0, PingIdentity, etc. ?

Our automated API analysis feature does not currently handle authentication at the API level which is separate from the web application. However, we have a feature to add a custom http header, if a static authorization token can be defined in advance. This has a URL match to set when the header is applied.

Is there support to skip crawling altogether and just use something like the API documentation (Postman, OpenAPI, Insomnia, etc.) or from a pre-built Burp Pro sitemap?

Not currently. The automated scanner automatically performs exploration and target mapping. We are looking to add functionality in the future to enable exploration driven by Selenium or Puppeteer.

Will Burp Suite Enterprise Edition be able to import scan reports from Burp Professional?

There are no plans to import scan reports at this time.

Do you have any integration with Atlassian Bamboo as a CI/CD platform?

We have a generic driver that would allow integration with this platform. In our roadmap, we are also considering a containerized CICD integration to avoid having to use a native driver per platform.

Is there any integration with CyberArk for Scan IDs?

We’re not familiar with CyberArk specifically, but we do have a saved login sequence feature that can handle more complex application authentication, such as SSO.

Does the crawl perform content discovery similar to burp pro when searching for content/pages?

Yes, Burp Suite Enterprise Edition’s automated scanner is the same as Burp Professional’s – it performs content discovery automatically.

Can Burp Suite Enterprise Edition user accounts be configured as SSO/2FA and can you apply role-based access control (i.e. view results but not configure analytics ?

Yes, SSO and RBAC are supported.

Source link