Developing Burp Suite Extensions - From manual testing to security automation.
Ensuring the security of web applications in continuous delivery environments is an open challenge for many organizations. Traditional application security practices slow development and, in many cases, don't address security at all. Instead, a new approach based on security automation and tactical security testing is needed to ensure important components are being tested before going live. Security professionals must master their tools to improve the efficiency of manual security testing as well as to deploy custom security automation solutions.
Based on this premise, we have created a brand-new class taking advantage of Burp Suite - the de-facto standard for web application security. In just eight hours, we show you how to use Burp Suite's extension capabilities and unleash the power of the tool to improve efficiency and effectiveness during security audits.
After a quick intro to Burp and its extension APIs, we work on setting up an optimal development environment enabling fast coding and debugging. While we develop our code using Oracle's Netbeans, we also provide templates for IntelliJ IDEA and Eclipse.
We will create many different types of plugins:
- Extension #1: A custom logger to provide persistency and data export functionalities
- Extension #2: A simple (and yet useful) replay tool
- Extension #3: Active check for Burp's scanning engine
- Extension #4: Passive check for Burp's scanning engine
Finally, we leverage our extensions to build a security automation toolchain integrated in a CI environment (Jenkins). This workshop is based on real-life use cases where the combination of custom checks and automation can help uncovering nasty security vulnerabilities.
All templates and code-complete Burp Suite extensions will be available for free on Doyensec's Github. If you are curious, we've already uploaded the first three modules.
The training is suitable for both web application security specialists and developers. Attendees are expected to have rudimental understanding of Burp Suite as well as basic object-oriented programming experience (Burp extensions will be developed in Java).
Attendees should bring their own laptop with the latest Java as well as their favourite IDE installed.
|March 21, 2017||Delivered during Troopers 2017 security conference. There are still seats available. Book it today and get Burp swag during the training!|
|June 5, 2017||Come for WarCon invite-only conference, stay for the training!
For registration, please contact email@example.com with subject line "Burp Training Post-WarCon".
This training is delivered worldwide (English language) during both public and private events. Considering that the class is hands-on, we are able to accept up to 15 attendees. Video recording available on request.
Feel free to contact us at firstname.lastname@example.org for scheduling your class!