Burp Suite a good Security Testing Tool at a Good Price
August 24, 2018
Burp Suite a good Security Testing Tool at a Good Price
Score 8 out of 10
Vetted Review
Verified User
Overall Satisfaction with Burp Suite
Burp Suite is being used by the Web Software Security Team. It is fairly easy to use and can do much of the dynamic security testing (DAST) at the company. We have a company policy that all websites must go through a security review before they can be moved to production. Burp is one of the tools that we use to help in this process. I have found that Burp Suite can usually do the job required fairly quickly. It also produces a report that most of the developers can understand.
- Burp Suite is fairly quick to perform an attack on a website. I have found it very thorough for the time it takes to run an attack.
- Burp Suite can spider a website very quickly and it usually finds most of the web pages on a website. Once it has spidered a website, it allows you to not attack any page it found during the scan. This is very useful when there are certain parts of a website you do not want to attack.
- Burp Suite allow you easily log into a website as the first step in spidering and attacking. This is useful for us since most of our websites require a login before we can scan the internal pages of a website.
- Burp Suite is not a tool that a complete security novice will get much out of. You do need to know the basics of application security to be able to properly use the tool.
- Burp Suite can, at times, take a very long time to completely attack a website. I have found that some websites are still being attacked after a few hours. This is usually due to errors being thrown during the attack process and Burp Suite has determined that too many errors have been thrown it will stop attempting the test that was throwing the errors.
- Burp Suite is constantly being updated. I find that I have to install a new release about two or three times a month. I know this should be considered a good thing, and it can be, but sometimes I am afraid that an update might break the tool.
- Burp Suite is a decent tool for the price and many security testers know how to use it. Considering some DAST tools cost 10 of thousands of dollars a year to get a license for and they do not do any better at scanning a website than Burp Suite if is a good investment.
- Burp Suite has many training videos and tutorials available on the Internet. Testers are good for training your staff on how to use the tool.
- Burp Suite needs to improve their support for testers website attacks. Not completing successfully is not a good option after a few hours of running.
Burp Suite stacks up fairly well against these other two products both of which are quite expensive to license. The best other product I would suggest is OWASP Zed Attack Proxy or ZAP. It performs quite well and the cost of the product is free. ZAP is an Open Source product. If, however, you do not want to use an open source product I would either go with Burp Suite or look into the more expensive Rapid7 AppSpider.
Evaluating Burp Suite and Competitors
- Price
- Product Usability
- Product Reputation
The single most important factor in my decision to select Burp Suite was the price for obtaining a license for the product and the usefulness of the product. It has a lot of training available online and the support is quite good. Whenever I open a support question with the vendor they usually answer my question with a few hours of my asking the question. This is very good for the cost of the license.
I like Burp Suite and I don't think I would change my mind if I had to make the decision again. The product usually runs well and does what I need it to do. There some problems with the product but for the price, it is quite a good product.