Try our new research platform with insights from 80,000+ expert users
Cyber security Lead at a manufacturing company with 1,001-5,000 employees
Real User
Scalable and has helpful technical support, but gives a lot of false positives
Pros and Cons
  • "The initial setup is straightforward."
  • "The solution is a bit expensive."

What is our primary use case?

I'm using the solution for the vulnerability scan and for basically all the kinds of applications that we use in our environment. My client is a product-based company - one of the premier Fortune 500 companies, and they are into medical equipment product manufacturing. We develop quite a lot of applications for our hardware and some of the internal requirements as well. Those applications only get deployed in hospitals and other kinds of medical equipment. I'm using it for vulnerability scanning and more for application scanning.

What is most valuable?

The most valuable part is that a beginner can run those scans and the V scanning of that particular vulnerability. I can set my vulnerability scan into different configurations and I can run the scan and I can do the part myself. It helps me out sometimes.

The solution can scale. 

Technical support is helpful.

The initial setup is straightforward.

What needs improvement?

There are lots of false positives. That is a bad part. It's something that they can work on.

If I'm scanning, I'm running a vulnerability scan and those libraries are there, sometimes those vulnerabilities of the libraries like Java or something gets reported, and sometimes it misses. That I have also raised with our team, however, they were not able to satisfy me in that aspect. Some Java libraries are outdated. It was showing vulnerability in an older version, in the older configuration. Once I updated my vulnerability scanner, and not that Java library, and still, vulnerability scanner missed that particular vulnerability. Regarding the binaries part. There was a lot of long technical discussion that has happened with the Enterprise support team. Too many times the vulnerability scan fails.

The solution is a bit expensive.

I'd like to see a DST, an image testing. Mobile also would be helpful. It would make the product a better player in the scanning part. 

There are lots of vulnerability scanners that are providing code analysis. They can increase it to be a competitive product in the market. 

We have looked at other solutions and products to add to get more tools. Code analysis, mobile, and APIs are becoming big on the market and this solution doesn't answer all of those needs just yet.

For how long have I used the solution?

I haven't been quite using the solution for 12 months. I've been using it for about 6 months or so.

Professionally, I have used the product for more than seven, eight years. From the very beginning, I've been using Burp Suite in my career. 

Buyer's Guide
PortSwigger Burp Suite Enterprise Edition
November 2024
Learn what your peers think about PortSwigger Burp Suite Enterprise Edition. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,067 professionals have used our research since 2012.

What do I think about the stability of the solution?

The stability is a big issue. So many times the scans fail. In comparison, I'm using the Burp Suite Enterprise as well as that UI version. I am missing that part. Generally, we install on the client version that is there. The client generally finishes their scans quickly, however, in Enterprise it runs for four days, five days, or six days. That is a major pain point. Once I compare that with the HP WebInspect or some other vulnerability scanners, they generally do the job a little bit quicker. Most of the time the vulnerability scan doesn't fail in those either. In this one, after running a comparison seven days straight, on the seventh day, it may have failed due to a failed check or some checks that are not positive.

I have set up whatever the settings are there, yet, if it fails after four days, it impacts my environment. You have put up a vulnerability scan, based on what you're supposed to do. I'm a cybersecurity tester also. Depending upon my schedule, it affects my schedule. If I have a shared customer, this application will be scanned in three days and we'll be doing the manual assessment in another coming one week or two weeks, whatever the application size may be. Once this fails, it impacts my other commitments as well. 

What do I think about the scalability of the solution?

I have not tried to scale the solution. Six, seven images I have deployed. However, the scalability is there. I can deploy multiple scanners for multiple portals. It's a good option actually. I've used mostly Burp Suite Enterprise, and therefore, I don't know much about other scanners. Due to the fact that I've used HP WebInspect, and IBM AppScan, I use them on my laptop only. If those options are now available, I have to update my last decade of experience.

Right now there are three or four people that work with this solution.

How are customer service and support?

I've had lots of calls with technical support. When we raise a ticket, we get a very quick response.

How was the initial setup?

The initial setup was pretty straightforward. I just needed to type in a mail on the support portal. If there are issues on the portal, the support team generally addresses them.

The deployment was easy. It takes about 48 hours, maybe, and that's it. It didn't take much time. It's a simple one actually. It was very general. Support is also very helpful during the deployment process.

What about the implementation team?

We had the assistance of support when we needed it during the installation and deployment process.

What's my experience with pricing, setup cost, and licensing?

Next year, my license expires. 

This is costly, and we are planning to use the professional version more as we're in the process of buying the professional version also. For the most part, we will not choose the Enterprise version due to the cost, and the stability. Only for scanning purposes am I'm using the Enterprise version. Other than that, it's not much. Everything is on the professional version for the most part. If it's all there, why would I pay so much extra? Therefore, when the license expires, I won't be getting an Enterprise version.

Right now, we are using the community version, however, we are looking to choose the most appropriate tier. We're mostly using it for upgrades and testing purposes.

The licensing is paid on a yearly basis. It's an expensive solution.

Which other solutions did I evaluate?

I did not evaluate other solutions first. I was new to this environment. Once I came along, the company was already using the product. I was not in decision-making on that. Later on, I introduced the Professional version. 

What other advice do I have?

We are service providers and we work with clients, however, we are not a partner.

The latest version is currently deployed basically in one of my virtual drives. It's in my Center, not necessarily on the cloud.

I'd advise other potential users that deploying in vCenter is much better - than you can back up everything and stuff like that. You're protected if your system is down. That said, it generally helps in the VM setup. It helps with scaling and deploying multiple scanners too.

I'd rate the solution at a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Cyber security Lead at a manufacturing company with 1,001-5,000 employees
Real User
A security testing solution with a useful dynamic scanning feature, but it could be more stable.
Pros and Cons
  • "I like normal dynamic scanning, general web applications scanning, and vulnerability assessments."
  • "There's definitely room for improvement. There are lots of false positives. Once I do the manual assessment, it comes as a false positive. They need to improve the Enterprise Edition, especially the part that gives false positives."

What is our primary use case?

We use both Burp Suite Professional and the Enterprise Edition for manual application assessments and dynamic assessments at my client's company.

What is most valuable?

I like normal dynamic scanning, general web applications scanning, and vulnerability assessments.

What needs improvement?

There's definitely room for improvement. There are lots of false positives. Once I do the manual assessment, it comes as a false positive. They need to improve the Enterprise Edition, especially the part that gives false positives. 

The scan result is also unstable. In some applications, it'll basically give the frameworks, but the GRE is missing from it. It won't report some scans, and some results are substandard.

In the next release, I'm looking for a scanning tool that has SAST and DAST. For example, 
Veracode provides all those things. Burp Suite Enterprise Edition only provides vulnerability scanning like static analysis and dynamic analysis, software composition analysis, and practice applications. They should also offer more with different packages.

For how long have I used the solution?

I have been using PortSwigger Burp Suite Enterprise Edition for about two months.

What do I think about the stability of the solution?

It's not a stable product. Sometimes, it takes a lot of time to scan. Sometimes it runs the scan for almost three or four days, and if some audits get filled, it stops immediately. It's unstable and takes lots of time compared other vulnerability scanners. Burp Suite Professional is excellent and stable. It gives lots of options for manual assessment. But PortSwigger Burp Suite Enterprise Edition still has lots of room for improvement.

How are customer service and technical support?

Technical support gave me a few options to speed up the scanning process, but it still took three or four days. I wasn't satisfied with my experience.

Which solution did I use previously and why did I switch?

Most companies I have worked with over the past decade used Burp Suite Professional for application scanning. Generally, most companies will go for PortSwigger Burp Suite Enterprise Edition for code analysis or go for Checkmarx or HPE Fortify. There are some pretty good solutions available in the market, like IBM AppScan and Acunetix, which are well established in the application scanning market. 

How was the initial setup?

The initial setup is straightforward. We have deployed it in vCenter in a VM environment.

What's my experience with pricing, setup cost, and licensing?

PortSwigger Burp Suite Enterprise Edition is expensive compared to other solutions. The license for Burp Suite Professional is more economical and gives you the same scanning features because the scanning, in general, is the same in both editions. But I can't do lots of things like automation in my manual assessment. The Professional edition is preferred my choice if I was making the purchase decisions.

What other advice do I have?

I would tell potential users that it'll work fine with vCenter. You can deploy it because it gives you the option of taking the snapshot and do other stuff quite easily. Manageability is also good in a virtual environment.

On a scale from one to ten, I would give PortSwigger Burp Suite Enterprise Edition a six.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
PortSwigger Burp Suite Enterprise Edition
November 2024
Learn what your peers think about PortSwigger Burp Suite Enterprise Edition. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,067 professionals have used our research since 2012.
Chief Information Officer - Chief Security Officer at Chrematis
Real User
Beneficial device discovery, and useful CMDB, but complicated implementation
Pros and Cons
  • "We are in the early stage of using the solution making it difficult to fully determine the best features. However, we have noticed the CMDB and device discovery features look valuable at this time."
  • "The implementation of the solution is quite complicated and could be easier."

What is most valuable?

We are in the early stage of using the solution making it difficult to fully determine the best features. However, we have noticed the CMDB and device discovery features look valuable at this time.

What needs improvement?

The implementation of the solution is quite complicated and could be easier. 

For how long have I used the solution?

I have been using the solution for five months.

What do I think about the scalability of the solution?

Most of my clients are medium-sized businesses using the solution.

How was the initial setup?

The installation is somewhat difficult, we had some initial technical issues but most have been resolved. The main issue was with the installation agent, it required us to reboot several times. This could have been because of the system environment at the client's site because in our lab, the agent installation is really straightforward and it did not require reboots. When we did the install at the client site, we experience that sometimes it required several reboots after the agent installation, it surprised us and we are still working on fixing it. 

What other advice do I have?

I rate Fortinet FortiSIEM a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user