The S01E03 of DevSecOps meetup was pushed out by a week due the Easter break. Shoutout to the speaker (Shawn Thompson) was accomodating the change of date.
It was a full house for this event with seats limited to 100 RSVPs. Thank you to the folks who came last night. I have pictures at the bottom of the article from the night. Feel free to share any feedback on what you would like to see more of and what should be a complete No (e.g product pitches/sales talks)
Food & Drinks: Versent & Hays
Speaker Topic — Burp in CI
During the talk, Shawn went through a Burp suite Pro primer for audience members who had not seen the pentesting application before. He spoke about the different capability (Intruder, Scanner, Proxy) that Burp suite provides and which out of those are available via their APIs.
This was followed by a proposed architecture and implementation challenges he faced while installing Burp suite in a docker container, which turns out is not 2 minute job.
Proposed Architecture — Burp in CI:
In the Burp Scanner was seen to be aligned with Integration Testing. Burp Intruder aligns with Unit testing. Burp proxy aligns with Functional Testing.
The placement of the Burp tool is at the end of the pipeline after the artefact has been created by the CI pipeline. The artefact will have both a front end and backend, btw did I mention burp is a tool only for web apps. :)
Shawn, went through his docker file which was used to install burp in a docker container. Installation gotchas — Burp requires a few manual intervention as part of installation to accept the EULA agreement and the pro license is user specific which is a bummer as automation doesn’t go well with user specfic licenses as it limits scaling of servers on demand aka you can only have 1 Burp server.
Once the docker container is created and deployed with API endpoints available and ready to use. Shawn used a shell script to
- define scope
- spider target
- run burp scanner
- export xml report of the scan
At this point the audience was sharing their experience in trying to achieve the same. The biggest problem of integrating Burp in a CI pipeline were identified as
- large number of duplicates as a result of Burp scan.
- Using kubernetics to deploy a farm of docker container with Burp will be a very difficult task.
- OWASP ZAP is something that a lot of audience member had success implementing in their CI pipeline
- Linking test results to case management solution like Jira is a possible solution to track and ensure implementation of vulnerability fixes.
Appreciate everyone who came to attend the event and made the talk awesome with the crowd interaction and post-talk chat! Special shout-out to folks who helped me clean-up later in the night after everyone left.
Slides and Repo from the night will be linked here once made available.
Pictures from the night