Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Suite Enterprise Integration with Jenkins

Rajeshkumar | Last updated: Mar 18, 2021 09:56PM UTC

I have gone thru your forums and understood that the Burp Enterprise can be integrated with Jenkins and it triggers the DAST via Burp Enterprise during build process. My questions are, 1. Can the burp perform DAST with the latest version of code is about to deploy to app? or The burp will perform the DAST with the previous version of code which associated with my app? 2. DAST is "Outside In" model as how the user is looking at the application. How Burp Enterprise look at the application while triggering from Jenkins? Does it look at the user level functionalities and perform the DAST? or look at the code and perform the scanning? 3. While integrating burp with Jenkins, Can burp initiate fully automated crawl and auditing? Is there any option for partial scan which can be triggered from Jenkins ? 4. I have experience integrating SAST products with Jenkins. Jenkins will wait until it receive the final status from SAST product and take a call on the build process status. While integrating Burp with Jenkins, Will Jenkins wait until burp provide the final status about DAST scanning? Am asking this questions because, sometime DAST scan will take about an hour or more so.

Ben, PortSwigger Agent | Last updated: Mar 22, 2021 04:03PM UTC

Hi,

It might be useful for you to take a look at the following information detailing how Burp works with the DAST methodology:

https://portswigger.net/burp/application-security-testing/dast

In answer to your questions:

  1. Burp will be scanning the deployed version of your site.
  1. Burp predominantly works by evaluating the HTTP/S requests and responses from a given site in order to determine any web vulnerabilities that may be present. There are also, however, aspects of SAST (Burp has the ability to perform static and dynamic analysis of JavaScript) and SCA (Burp can now identify vulnerable libraries being used in a site) now available when scanning websites.
  1. Burp Enterprise will perform a full automated crawl and audit of your target websites. The crawling phase identifies the content of the site in question and the audit phase will then audit this discovered content in order to identify web vulnerabilities.
  1. Yes, that is correct. If you incorporate a Burp scan as part of an existing job then you will need to wait until the scan has completed.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.