PortSwigger Burp Suite Professional pros and cons

The solution has a great user interface.

The solution has a pretty simple setup.

The way they do the research and they keep their profile up to date is great. They identify vulnerabilities and update them immediately.

The automated scan is what I find most useful because a lot of customers will need it. Not every domain will be looking for complete security, they just need a stamp on the security key. For these kinds of customers, the scan works really well.

In my area of expertise, I feel like it has almost everything I could possibly require at this moment.

The feature that we have found most valuable is that it comes with pre-set configurations. They have a set of predefined options where you can pick one and start scanning. We also have the option of creating our own configurations, like how often do the applications need to be scanned.

The most valuable features are Burp Intruder and Burp Scanner.

With the Extender Tab, if you know how to code then you can create a plugin and add it to Burp.

I find the attack model quite amazing, where I can write my scripts and load my scripts as well, which helps quite a bit. All the active scanning that it can do is also quite a lot helpful. It speeds up our vulnerability assessment and penetration testing. Right now, I am enjoying its in-browser, which also helps quite a bit. I'm always confused about setting up some proxy, but it really is the big solution we all want.

The active scanner, which does an automated search of any web vulnerabilities.

It should provide a better way to integrate with Jenkins so that DAST (dynamic application security testing) can be automated.

The pricing of the solution is quite high.

The biggest drawback is reporting. It's not so good. I can download them, but they're not so informative.

There could be an improvement in the API security testing. There is another tool called Postman and if we had a built-in portal similar to Postman which captures the API, we would be able to generate the API traffic. Right now we need a Postman tool and the Burp Suite for performing API tests. It would be a huge benefit to be able to do it in a single UI.

A lot of our interns find it difficult to get used to PortSwigger Burp's environment.

One area that can be improved, when compared to alternative tools, is that they could provide different reporting options and in different formats like PDF or something like that.

There should be a heads up display like the one available in OWASP Zap.

There is not much automation in the tool.

I am from Brazil. The currency exchange rate from a dollar to a Brazilian Real is quite steep. It is almost six to one. It would be good if it can be sold in the local currency, and its price is cheaper for us.

As with most automated security tools, too many false positives.