PortSwigger Burp Suite Professional Reviews

This is a solution for which I provide services to our customers and I also use it personally.

As part of our organization, we build internal applications. Before they are put into production, we run a suite of security tests to ensure that our applications are not vulnerable to any known issues. We use PortSwigger Burp for testing, as well as OSASP Zap. We do similar tests in multiple tools to make sure that we cover the entire set of use cases.

I have this solution deployed as one user on a single machine, which is used by a designated security tester.

The most valuable features are Burp Intruder and Burp Scanner.

The automatic scanning feature is helpful.

The interface for the automatic scan can be improved because it is easy for technical users, but the business users have trouble with it. There is documentation but the interface should be more user-friendly.

There should be a heads up display like the one available in OWASP Zap. I think that it would be a very good addition.

I have worked with PortSwigger Burp for about ten years.

This solution is stable and we have had no major problems.

We have had no issues with scalability, although we are using a standalone installation with only a single user. We may expand usage in the future.

We also have OWASP Zap and we continue to use these two tools.

Zap has a heads up display within its own browser, which is a very good feature. Zap is also completely free, whereas Burp has a free version but it also has licenses available.

For the most part, we use open-source solutions, which are free of charge.

The initial setup is simple and very straightforward. We were not setting up a server, so it took perhaps five minutes to get up to speed and begin using it.

There are different licenses available that include a free version.

We do have problems with some of the add-ons that we install from the marketplace. They may not be available or out of support, so when you want to install them, they are not there.

This is a very nice tool and anybody can use it, from beginner to expert level. There are some simple and straightforward settings with documentation that is very clear. If you follow the steps you can easily get up to speed within five minutes for a single user.

I would rate this solution an eight out of ten.

The most valuable feature is the application security. It also has a reasonable price. 

It has an end product and a repeater. Other solutions don't offer options like these. 

The Burp Collaborator needs improvement. There also needs to be improved integration. 

I have been using PortSwigger Burp for the past six years. 

It's not so stable. Some of the security aspects aren't so stable. 

Burp is scalable. 

We have around 150 users using Burp at my company. We use it daily.  

I haven't needed to contact their technical support. 

The initial setup is simple. It only takes two to three minutes. 

We are consultants so we do the implementation ourselves. 

It only requires one person for the implementation and maintenance. 

It costs 39,000 including taxes per year. 

I would recommend this solution to somebody considering Burp. 

I would rate it an eight out of ten. 

We use the solution for scanning our in-house external facing website.

It has been provide user direct access to users scan their websites and find vulnerability in good price. Burp is one of the most extensively used tool in org to do other security based investigations. We are trying to mitigate risk using vulnerabilities identified by Burp.

The solution is very user-friendly.

The way they do the research and they keep their profile up to date is great. They identify vulnerabilities and update them immediately. 

The biggest drawback is reporting. It's not so good. I can download reports, but they're not so informative. 

For example, they are providing very good information about vulnerabilities, but when you are scanning the whole pathway, we want to see information like percentages, how much is finishing, and how much it is not, etc. If the scan fails, they should tell us when or how it stopped, if it failed, why it has failed, and how to avoid something like this from happening again. They need something more in-depth and more technical. 

I would like to have some more features, which I can play around with. It's not so flexible.

I've been using the solution for more than 1 year.

The solution sometimes has stability problems when they have fixed or released some new package. Instability has happened to us two or three times. It was difficult because we had to implement this disaster recovery plan at that point in time. It wasn't a disaster, but the whole system does stop because of that.

Easily scalable when it comes to Enterprise version. but Enterprise version itself is not as effective as pro.

The technical support team is very good. They are quick at responding and they help us to resolve issues within the organization.

In the past, we had issues around connectivity while we were doing some scanning. The scanning kept getting killed somehow. The quality of the job was poor. The scan was not completed successfully, so we needed technical support to assist. It was hard to identify what the issue was and how to fix it, but they did.

The installation is not difficult. We only needed one person to handle the implementation. Setting up the agents may be tricky, but if a person is knowledgable, it shouldn't be an issue.

Inhouse one

When we had an issue with scanning, we did look into exploring other options like OWASP Zap, Acunetix, etc. We stayed with Burp because we had it set up in our system, and then they had our scanning issue fixed.

We use the on-premises deployment model.

I would rate the solution seven out of ten.

Currently, we're trying to import the solution to implement it to other applications for our website. So far, it's been fantastic.

The suite testing models are very good. It's very secure.

The solution isn't too stable. The fundamentals of it make it difficult to use. Sometimes it takes me to other applications that are being run.

The scalability capabilities of the solution could be improved.

I've been using the solution for three years.

The stability is okay, but we are finding issues.

The solution doesn't offer very good scalability.

We haven't had to contact technical support.

We didn't previously use a different solution.

The initial setup is straightforward. Deployment doesn't take more than two to three hours.

We handled the implementation ourselves.

We use the on-premises deployment model.

I'd rate the solution nine out of ten. I haven't compared it with other vendors, but it is a best-seller currently.

We use this solution for the security assessment of web applications before their release to the internet. The security assessment team uses this product to identify vulnerabilities and vulnerable code that developers may introduce. We host all of the beta applications in our internal web servers and then the security team starts assessments when the development freezes.

In the early years, we did not check our web applications for security vulnerabilities before releasing them to customers. Since we began this practice for every application, our clients are really happy and value our work.

BurpSuite helps us to identify and fix silly mistakes that are sometimes introduced by our developers in their coding. 

The auto scanning feature provides really good details about issues that it finds.

Crawling web applications using Burp Spider, Target Site Map, automating customized attack with Burp Intruder, and manipulating parameters with Burp Repeater are the most useful and used features.

The Auto Scanning features should be updated more frequently and should include the latest attack vectors.

It would be really helpful if the issue details contained example recommendations on how to fix the issues identified, or perhaps point to external recommendations for reference. 

I have never had issues running this application, so I would say it is stable.

Scalability is very simple and easy.

We have not needed to contact technical support, although there is a very big community of users.

Prior to this solution, we used various open-source or free applications. We wanted to streamline and improve productivity by standardizing the products that we use.

The initial setup of this solution is very straightforward and easy.

We performed the deployment in-house. There were no complicated steps.

Our ROI is above two hundred percent.

There is no setup cost and the cost of licensing is affordable.

We tested all of the free apps and could not find a stable all-in-one solution other than BurpSuite.

All application development organizations should purchase BurpSuite and train their developers on how to use this solution to identify security flaws. This will help to ensure that the applications released to the public internet will have better protection from malicious attackers.

The primary use case is security for the development lifecycle. We use the application for security testing.

The solution helps to identify security issues quickly.

The Spider is the most useful feature. It helps to analyze the entire web application and it finds all the passes and offers an automated identification of security issues.

The number of false positives needs to be reduced on the solution.

I'm not sure whether some features need to be added because the product has a specific toolset, and if I do need some additional features, currently I get them in different security products. The solution, however, could better integrate with various other tools.

The solution is very stable.

The solution is not designed to be scalable. You have an individual license, and I use it individually.

I have not needed to use the solution's technical support.

Before Burp I was manually proxying the data myself. I have experience making my own tools for security assessment. Burp is pretty convenient, and it's one of the most popular tools, which is why I began using it.

I also use Wireshark, which is pretty effective too.

The initial setup was straightforward.

We implemented the solution ourselves.

Licensing is paid on a yearly basis. The yearly cost is about $300.

For application security testing, I would suggest Burp. It's probably the leader in this area. It's just like analog tools such as OWASP ZAP, which is open-source. OWASP ZAP is still not as effective as Burp is.

The solution helps to find different security issues, and it helps identify many, many security issues quickly, and that's what makes it such a useful tool.

I would rate the solution seven out of ten.

Our primary use for this solution is to perform vulnerability scanning before we deploy software in production.

This solution has done a lot to improve our organization. It allows us to be proactive and solve issues before our external auditors find them. 

The most valuable feature of this solution is the scanning functionality. Some of the extensions, available using Burp Extender, are also very good and we have found issues by using them.

Burp Intruder is another very good feature in this solution.

I would like to see a more optimized solution, as it currently uses a lot of CPU power and memory. Sometimes, the application is blocking.

The reporting also needs improvement. Specifically, if there is an issue that exists on many pages, then I do not want to see the same thing repeated many times throughout the report. Rather, it should be pointed out as a global error, and only shown the one time. 

In the next version, I would like an option to scan the environment where the application is installed. I would also like a better cryptographic study, with more controls.

This solution is very stable.

I would say that this is a very scalable solution.

We do plan to increase our usage, but not beyond the Professional version. It is not our intention to move to the Enterprise version right now.

I would rate their technical support a five out of five.

The initial setup and deployment are straightforward and take very little time.

Only one person from the IT department is required for deployment and maintenance.

We handled the implementation internally.

Our licensing cost is approximately $400 USD per year. There are no costs in addition to the standard licensing fees.

We did evaluate other options before choosing this solution.

I would recommend this product to others. It is very straightforward and it is oriented to the application, which is why we chose it. I would also recommend reviewing and using the extensions that are available.

I would rate this solution a nine out of ten.

I use this primarily for intercepting mobile HTTP and HTTPS requests with SSL pinning bypass. It's a better tool for manual tasks.

This solution has helped a lot in finding bugs and vulnerabilities, and the scanner is good enough for simple web apps.

The best feature that I've found is the built-in manual tools.

The scanner and crawler need to be improved.