Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Configuring and automating BurpSuite Enterprise Edition scans

Zac | Last updated: Jul 16, 2021 02:13PM UTC

I'm evaluating BurpSuite Enterprise Edition and had a question for anyone who might have experience using it. Architecturally, BurpSuite EE (hereafter "BSEE") seems to have the following componentry: - A web app; used by SecOps to login and manage/configure/run scans - 1+ "Agent machines"; servers where "Agents" are installed and running and communicating back to the web app; apparently each Agent machine can run 1+ Agents - Agents, software agents installed on agent machines, responsible for running scans against targets and reporting back to the web app - The targets that are scanned by the agents Assuming I'm correct on my understanding of these (which, if I'm not, please begin by correcting me!!!), I'm wondering what the relationships & cardinalities between all these things are. Say I have 20 microservices (web services using HTTPS) that I want to scan. Do I install the Agents on the 20 servers for each of these 20 microservices, or do I have dedicated "security scanner servers" that I install Agents on, and then configure those agents to run scan against my 20 microservice servers? So that's my main question, but I also had two other smaller concerns, specifically: - In the web UI it looks like you can either run scans immediately, ad hoc/on demand, or according to a schedule. But what if you want to integrate the scans into your deployment pipeline, automatically? Is there a way to kick off a scan via command line or API and then fetch the report (HTML, XML, PDF, etc.) from disk? - Is it possible for developers to configure scans in Community or Pro Edition, export those scan configurations, and import them into BSEE? How about vice versa? Thanks in advance for any and all concerns!

Maia, PortSwigger Agent | Last updated: Jul 19, 2021 09:56AM UTC

Hi,

Thank you for your message.

Normally, you would scan from agents sat on dedicated agent machines. By default any agent can be used for any scan, however, you can configure the agent machines into pools and only allow specific sites to be scanned using them.
There is a handy multi-deployment diagram in the network configuration documentation here.

It is possible to use the configuration from Burp Suite Professional or Community in BSEE and vice versa, however, some of the configuration options may not work in Enterprise if they are specific to Pro/Community. These can be imported and exported as JSON files from the Configuration Libray in Pro/Community or Scan Configurations page in BSEE.

Regarding integration into your deployment pipeline, yes, you can integrate the scans and fetch the result as either individual issues or an HTML report. We have dedicated plugins for Jenkins and TeamCity, and a platform-agnostic generic CI/CD driver for other integrations. We hope to release more dedicated plugins in the future. You can also directly use either the REST or GraphQL API.

More information can be found in the links below:
CI/CD integration: https://portswigger.net/burp/documentation/enterprise/administration-tasks/ci-cd
Drivers: https://portswigger.net/burp/releases#driver
APIs: https://portswigger.net/burp/documentation/enterprise/api-reference

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.