Justifying the expense wouldn't be difficult at all. However, I think the free version is Just Fine (TM) unless you need stuff like the scanner or intruder (intruder works in Burp Free, but is limited to something like 1 request/second).
Burp Intruder is the fuzzer inside of Burp. All the Burp-like tools let you capture requests your browser sends, edit them, and replay them. Burp Intruder lets you take a captured request and set up rules to send hundreds or thousands of variant requests.
I am weird among Matasanos (and ex-Matasanos :|) in that I live inside of Burp Intruder; I use it instead of Repeater. Why replay a request once when I can replay it 1000 times? So for me, non-crippled Intruder isn't optional.
I wish Burp didn't have a Scanner. I might pay $25 more for a branded version of Burp that specifically didn't have that feature, so I could reassure clients I wasn't ever using it.
> I wish Burp didn't have a Scanner. I might pay $25 more for a branded version of Burp that specifically didn't have that feature, so I could reassure clients I wasn't ever using it.
* which is why we don't charge billable hours to run off-the-shelf tools that our clients could just run themselves,
* I addressed why we don't "augment" with scanners downthread (shortened answer: it's a slippery slope to testers just running scanners),
* Our scoping and rates are dead square in the middle of the market, so if scanners are helping other firms deliver projects more cheaply than us, I don't think the savings are being passed along. (We also don't double- or triple- book consultants on multiple projects, and we don't pay overtime.)
I upvoted you, because while I thought that was a pretty snide way to ask the question, I sure am happy to get to say over and over again how our projects aren't just Burp Scanner results. :)
Well I don't want to turn this into a company-specific debate, so I'm just addressing the position that running burp's scanner or sqlmap is "low quality". I have a few issues with that position and your justifications.
I wouldn't bill a client for running a scan on them. I would start a scan and do manual testing at the same time, focusing on more intelligent attacks and understanding the application. By the time I am done, the scan would typically kill off a significant number of buggy parameters that I now don't have to test because I already know it's as vulnerable. For some projects, this can be quite substantial. Beyond creating a POC and documenting the issue, I now don't have to spend billable hours on all of that.
The fact that scans consistently find a lot of bugs tell you that clients aren't running tools themselves. They don't know the tools, don't understand the results, don't know how to use them beyond point-and-click. They don't know how to set up macros that validate the session and re-log in, etc.
Although it sounds good to say that they aren't paying you to just run a scanner, the reality is no other reputable testers are doing that either.
Yeah, it was a bit snide, but you were scoffing at testers who do use scanners, and I genuinely think not using them (properly) is a colossal waste of time
I wouldn't want to restate a whole bunch of points I made downthread (we think scanners degrade manual testing, we're not opposed to automation but instead only to automation that actually flags findings, we grind up the bones of candidates to fertilize the fungus we use for our pentest "trips", &c).
It would be fun to have this debate somewhere that wasn't 10 comments deep into an old thread.
I don't actually know you, or who you work for, so please don't think I could be calling you out as a bad tester. We just don't test with automated scanners. We're not the only shop that doesn't use scanners. It's just the way we work.
Also, if I'm justifying Burp to a non-security person, part of the reason why is that Intruder would allow me to do all sorts of wacky integration and stress tests without having to write fiddley code. A rule-based request generator is a pretty useful tool for the box.
$299/year seems pretty affordable, I was expecting to see something that cost thousands from the way you were talking. I know zilch about Appsec, but this appeals to the part of me that's good at breaking things.
You could use it to benchmark (it might be useful for that in cases where what you were benchmarking wasn't raw request handling speed, or the performance of simple SQL queries, but rather some backend event that would only be tickled by a particular pattern of requests), but the real thing it does that I think ab doesn't do is collect all the responses and allow you to compare them.
(It's actually not great at doing those comparisons, but I don't have a better alternative).
Burp costs money, but it costs so little money relative to its value that if you think it's expensive, I'm going to suggest you're doing something wrong with your bill rate.
> Burp costs money, but it costs so little money relative to its value that if you think it's expensive, I'm going to suggest you're doing something wrong with your bill rate.
Couldn't agree enough. Even if this is something you do as a hobby, Burp will more than pay for itself in a single bug bounty payout.
