Hamburger Icon

Burp Suite Enterprise
vs. StackHawk: AppSec
Testing Tool Comparison

rebecca-warren

Rebecca Warren|April 29, 2021

Interested in the differences between Burp Suite Enterprise and StackHawk? The comparison below walks through how the two tools stack up.

Burp Suite is loved by security users and pen testers for its proxy feature that allows the manual manipulation of traffic.

If you have any background in application security, you are familiar with Burp Suite. For those who are newer to the space, Burp Suite is one of the leading application security testing tools used by penetration testers and security analysts. Building on the popularity of Burp for individual use, Portswigger (the company that created Burp Suite) introduced the enterprise version of its AppSec testing tool to capture a different market – those looking to automate security testing across their org.

Burp Enterprise came with big promises. And while the product has the same high quality application security scanner, it doesn’t check all the boxes for modern teams looking to integrate security testing into product delivery.

StackHawk is an alternative to Burp Suite. Its sweet spot is for teams looking to scale API and application security across development teams. The scanner runs in CICD with features developers love, and provides coverage for modern apps and APIs.

The comparison tl;dr

Burp Suite and StackHawk both have best in class scanning capabilities. Burp Suite utilizes a proprietary scanner and StackHawk is built on top of ZAP – the world’s most popular security testing tool. 

Which tool is right for you depends on your requirements and how you are looking to scale application and API security testing across your team. 

For teams familiar with Burp Suite that are looking to have a CICD system kick-off a build, but largely keep security in control of testing, review, and remediation, Burp Suite is a solid tool - especially if the team is already familiar with Burp’s other offerings. 

For teams that are looking to shift application security left, gaining the efficiencies promised by DevOps and CICD automation, StackHawk is the ticket. 

The differences between these two tools are most clear across four areas: configuration, automated scanning in CICD, coverage for APIs, and dev-friendly features. 

In this blog, we will dive into each of these so you can get a better picture of what tool is right for your team.  

Find and Fix Security Vulnerabilities

Burp Suite Enterprise vs StackHawk

Below is a comparison of Burp Suite Enterprise vs StackHawk 👇. 

comparisson-table-burp-vs-stackhawk image

Key Differences Between Burp Suite and StackHawk

Scanner Configuration

We’ve been there…

You’re pumped to roll out that sexy new tool across your team.

And then you look at the config guide and your jaw drops because there are 11ty billion steps to get this thing going. So much for getting this rolled out to the team before Friday. 

Burp Suite and StackHawk have big differences when it comes to deployment.

Burp Suite Configuration

Burp Suite configuration is no joke. 

To get going with the on premises offering, teams must provision VMs for a web server, an enterprise server, a database, and Burp scanning agents. The web server and enterprise server require separate configuration before users can begin customizing the scanning agents. 

Luckily, configuring scans once the infrastructure is deployed is straightforward, especially if the admin has used Burp Pro previously. The admin will create target sites for scanning in the Burp UI. 

From there the user will configure a scan profile for the site. Scan creation is built to be very security-friendly. Users can schedule the scan to happen at a certain time, indicate if they would like it to be recurring, and pull in a Burp generated scan profile that has pre-determined parameters around crawl time limits, crawl speed, and audit coverage. 

StackHawk Configuration

StackHawk was built to run anywhere, so anyone can get going with automated security testing. Kicking off your first scan does not require learning a complex UI, deploying servers, or changing firewall rules. 

What makes this all possible is that StackHawk is deployed via a Docker container. The scanner can run consistently and reliably in any computing environment that your team needs. Test for vulns locally on a developer machine, in a CICD pipeline, or anywhere else your team can dream of. 

To get going with a scan, users create an app in the StackHawk web portal which can be done with only three variables. With these variables, StackHawk creates a YAML file that encompasses the entire scan config, and the user is able to kick-off a DAST scan with a single `docker run` command.

Users can go from sign-up to a completed scan in CICD in 20 minutes.

How to Think About DAST Configuration

With vastly different approaches to configuration and scan deployment, there are significant implications about how these tools will be implemented and scaled throughout a software organization. Burp Suite’s configuration not only requires agents to be deployed within a company’s infrastructure, but it also limits the ability to shift application security left.

With this configuration, scans can only be run against either a staging or production build of the application. With this, developers often are not made aware of new vulnerabilities that they have introduced for days or weeks. With scanning implemented within the CI/CD pipeline, companies leveraging StackHawk gain significant efficiencies by alerting developers of new issues soon after they worked on the code.

Automation in CICD

Speaking of CICD…

Making software delivery efficient requires consistent, automated testing every time a developer checks-in code.

Burp Suite Enterprise and StackHawk take different approaches to how security testing lives in CICD. Depending on how your team is thinking about automating security, Burp or StackHawk could be right for your use case.

Automating from CICD with Burp Suite

With Burp Suite Enterprise, teams can create an API user that will integrate with a CICD system to kick off a scan of a publicly accessible staging site.  Burp has two native CICD integrations - Jenkins and TeamCity. Users can also utilize the Burp REST API to integrate into other CICD tooling. 

While it is nice functionality for the scan kick off to be automated, this approach comes with a few shortcomings. 

First, requiring the site to be accessible to the scanner means that teams cannot test underlying microservices or APIs independently. Instead, the scanner will crawl the front-end of the application and test the full customer facing application. This results in longer scan times and less clarity on which teams should fix identified issues.

Second, teams can run into latency problems since the scanner and app are not colocated. 

Lastly, and most importantly, Burp’s CICD integrations lack reporting visibility that is fed back into the CICD system after a scan is kicked off. Developers can get JSON results via cURL, but results are not natively sent into the CICD system. Instead users need to log into Burp Suite to see results. This creates a huge disconnect in the security process as developers cannot remediate in the CICD workflow

Automating in CICD with StackHawk

StackHawk is the only DAST scanner on the market that allows software delivery teams to run automated vulnerability testing in CI/CD. 

By running in CICD alongside build and integration testing, teams can:

  • Test faster, since the scanner is run alongside the app in the CI tool.

  • Test smaller increments of change, alerting developers if they have introduced a new vulnerability so they can quickly find and fix.

  • Test underlying microservices and APIs instead of the publicly hosted application, leading to faster vulnerability identification and remediation. 

  • Test aggressively without manipulating real data or taking down a production site. 

StackHawk has optimized its underlying scanner to run quickly in pipeline. Teams can optimize the scanner to only run tests relevant to the app being tested with tech flags

And, it’s easy to integrate StackHawk into any CI system your team is using. The platform offers custom integrations for leading providers including GitHub, Jenkins, and CircleCI. But StackHawk’s YAML configuration makes it easy to execute security testing as part of your standard build pipeline in any CI tool. 

StackHawk’s results are displayed in the CI tool. If StackHawk discovers a new, critical vulnerability has been introduced, users can configure the scanner to automatically feed a 42 exit code and break the build so vulnerabilities are not pushed into prod. 

How to Think About Automating DAST in CICD

With Burp Suite, the first time a dynamic application security test can be run is when a publicly available build of the application is created, typically as a final step before deployment. While individual approaches vary by company, in most cases, this occurs long after a developer has pushed their changes. With StackHawk, a developer is notified quickly (often on the pull request) if they have introduced a new vulnerability, allowing them to fix the issue while they still recall what they were just working on. Much has been written about the efficiencies of shifting testing left - StackHawk enables teams to realize these efficiencies for application and API security.

Complete Coverage for APIs

API security testing is a growing concern. Gartner expects that 90% of web-enabled applications will have more surface area for an attack in the form of exposed APIs rather than the UI, and API abuses will be the vector most responsible for data breaches. 

It is critical that whatever application security tool you use offers complete coverage for API security.

API Security Testing with Burp Suite

Burp offers REST API scanning capabilities that can deliver thorough coverage. Users can upload their OpenAPI 3.0 spec to the platform for the scanner to parse the API endpoints. Compared to most tools on the market that only access the API via the UI, this is a way to guarantee much more comprehensive API coverage. 

If your team uses SOAP or GraphQL APIs, the coverage is less complete. Users have created add-ons to support coverage for these API technologies, but they are not native to Burp. 

One of the Burp scanner’s weak points is that it does not offer customized scan configs for API security testing. Users can choose between the traditional scan profiles for apps that can be optimized for scan times, thoroughness, or audit coverage. 

API Security Testing with StackHawk

StackHawk has created the industry’s fastest, most accurate dynamic security testing for APIs by optimizing the way a scan is configured, the way APIs are invoked, and the way vulnerabilities are reported on for REST, SOAP, and GraphQL APIs. 

Like Burp, users can preload the scanner with API documentation to ensure complete coverage. Unlike Burp, StackHawk can be pre-seeded with OpenAPI spec version 2.0 or 3.0, the GraphQL introspection endpoint, or a WSDL file. 

From there, users can pull a pretuned default scan config for the API technology being tested. This ensures that the scanner will run the meaningful tests for your API technology, and that the API will be invoked correctly (ie., REST APIs will only be sent JSON payloads). This means users get lightning fast and highly accurate scans for APIs. 

By implementing API security testing with StackHawk, organizations can better protect attack surfaces that traditional DAST scanners are unable to fully scan, and keep pace with rapid iterations pushed by development teams.

Built for Developers

Modern orgs are done with dividing the roles of finding and fixing vulnerabilities between security and development. Instead, teams are working to shift security left by embedding security into the development process. 

Doing so requires that developers have the resources and tooling to find, understand, and fix security vulnerabilities before they ship code. 

Burp’s Dev-Friendly Features

Burp has begun to deliver a handful of developer-friendly features. 

For instance, the tool has a Jira integration that allows for users to create issues out of new vulnerabilities. In those Jira tickets, users will find links to cheat sheets to help developers understand the vulnerability. 

But what developers need to fix findings as they deliver code is lacking. 

Developers have no way of recreating findings, or validating fixes. And since the scans are running on a staging environment, the developer may have committed the code long before the vulnerability was found.

Burp is still a security user’s tool, which is now delivering findings to developers via Jira tickets instead of a pdf.  

For Burp Suite Enterprise users, security is either blocking releases or playing catch-up. Security is an afterthought for engineers and fixing vulnerabilities means taking time away from feature development and long fix times

StackHawk’s Dev-Friendly Features

StackHawk has reimagined the security testing process to live closer to the code, giving developers the ability to find and fix vulnerabilities as they write code. Gone are the days of pdf reports or endless Jira tickets. If a new vulnerability is introduced, developers get the right information to make informed risk decisions, guidance to recreate the vulnerability, and instant fix validation.  

This comes to life through a few key features. 

First, StackHawk notifies developers about new vulnerabilities where they are already working. Whether it is GitHub, Slack, DataDog, or MS Teams, developers are notified when a scan is completed so they can see findings immediately. 

If a new vulnerability is introduced, teams are directed to the finding details which include cheat sheets and documentation for how to fix a vulnerability, as well as a cURL command that allows them to recreate the vulnerability locally. 

Once a dev thinks she has fixed the vulnerability, she can validate the fix locally by running StackHawk on their machine before pushing the change back to CI. 

The beauty of this entire process is that it all happens while a dev is in the context of their code. They are notified as soon as code is committed if a new vulnerability is introduced, have the tools to remediate right away, and can check their fix before recommitting. 

Find and Fix Application Security Vulnerabilities with Automated Testing

So, Which One to Choose?

Burp has a great reputation for its manual proxy testing capabilities, but their Enterprise tooling misses the mark on the needs of modern security teams looking to automate AppSec testing. 

We’re obviously biased, but there are significant benefits of using a tool like StackHawk for your application security testing. With StackHawk, you get the benefits of a trusted, powerful scanner combined with the modern experience teams need to run an effective security program that keeps pace with development teams. 

So go ahead – get started with a StackHawk trial or free account today.


Rebecca Warren  |  April 29, 2021

Read More

Add AppSec to Your CircleCI Pipeline With the StackHawk Orb

Add AppSec to Your CircleCI Pipeline With the StackHawk Orb

Application Security is Broken. Here is How We Intend to Fix It.

Application Security is Broken. Here is How We Intend to Fix It.

Using StackHawk in GitLab Know Before You Go (Live)

Using StackHawk in GitLab Know Before You Go (Live)