This week Serhii Korolenko has obtained a Burp Suite Certified Practitioner certificate, and we congratulate him on this achievement! Well, there is a bit of irony here, of course. Let us explain.
Everyone in the application security industry knows that PortSwigger’s Burp Suite is probably the best tool for dynamic application security testing. It offers a highly-capable network proxy with the ability to edit and replay HTTP requests, and numerous automation capabilities. It comes with vast extensions ecosystem which allows scanning for widespread vulnerabilities and specific web application security issues.
Burp Suite is undoubtedly one of the best implementations of a human-driven, tools-assisted security testing paradigm. And it is for sure in every cyber security company’s web penetration testing toolkit.
As part of their mission, the PortSwigger team has created a series of free online labs – Web Security Academy. The academy teaches security professionals how to analyze the security of modern web applications for security vulnerabilities, starting from the simple ones, such as clickjacking, and right to as severe as SQL injections.
The academy covers as much of the ground that we at Berezha Security Group gladly invite job candidates for interviews if they have completed over 50% of the labs. We use Web Security Academy labs in our own Web Application Pentester Training course, and we teach using Burp Suite in it too.
And now, PortSwigger’s Web Security Academy has created the certification that helps professionals demonstrate that they can:
– Detect and prove the full business impact of a wide range of common web vulnerabilities.
– Adapt attack methods to bypass broken defenses, using knowledge of fundamental web technologies.
– Quickly identify weak points within an attack surface, and perform out-of-band attacks to attack them.
The certification does not require from candidates a long-term experience of using any Burp Suite product: Burp Suite Professional version or Burp Suite Enterprise edition. Nor does it expect them to know the latest Burp Suite features. Instead, the certification program allows web app penetration testers to prove their skills in a challenge, created by the developers of the world’s #1 web penetration testing tool.
To become a Burp Suite Certified Practitioner, candidates must pass a four-hour exam successfully. The test consists of several practical tasks and is specifically designed to test the candidate’s knowledge of web application vulnerabilities and their skills in exploiting them.
During the exam preparation, candidates need to complete all “Apprentice” and “Practitioner” level labs in the Web Security Academy. It ensures that the candidates know the practical challenges web application pentesters face in their work.
After completing the labs and achieving the minimum acceptable requirement for taking the exam, candidates get an opportunity to attempt a Burp Suite Certified practice exam. This test allows them to check their knowledge and abilities against the challenge to understand the sophistication of the final exam and save time and money on potentially failed attempts. The test exam also gets candidates familiar with the examination tactics and time constraints.
After all the preparations, candidates can purchase and attempt their final exam. The price of one attempt is 99$. After successfully passing the exam, the candidate becomes BurpSuite-certified and gets their digital certificate available by a unique URL where everyone can check it. Serhii’s one is accessible by this link.
Sure thing, for Serhii as our Lead Consultant and a long-term expert user of Burp Suite, this certification was not, in fact, challenging. However, as the BSG Training line of business leader, he was curious to test his skills with the world-class pentesting exam.
Serhii went through the labs and the examination test to understand it and form an impression of it. As more and more Burp Suite Certified Practitioners appear on the job market, BSG has to be aware of what the certificate means and how hard it is to get.
As the BSG team continues to learn, train, and get certified, we will keep you up to date with our achievements. We hope this activity will help our colleagues in the cyber security industry to figure out their career paths and learn about specific certification requirements and exam tactics. So stay tuned and be safe out there!