Burp Suite Pro Site Reliability SRE คืออะไร
Burp Suite Pro เป็น web application security testing tool ชั้นนำจาก PortSwigger ใช้ในการทดสอบ vulnerabilities ของเว็บแอปพลิเคชัน Site Reliability Engineering (SRE) คือแนวทางการดูแลระบบที่นำ software engineering มาใช้กับ operations เพื่อให้ระบบมี reliability สูง การรวม Burp Suite กับ SRE practices ช่วยให้ทีมสามารถ integrate security testing เข้าไปใน reliability workflows ตรวจจับ vulnerabilities ก่อนเกิด incidents และ automate security scans เป็นส่วนหนึ่งของ SLO/SLI monitoring
Burp Suite Pro สำหรับ SRE
# burp_sre.py — Burp Suite Pro in SRE workflow
import json
class BurpSRE:
INTEGRATION_POINTS = {
"ci_cd": {
"name": "CI/CD Pipeline Security Scanning",
"description": "รัน Burp Scanner อัตโนมัติใน deployment pipeline",
"when": "ก่อน deploy production ทุกครั้ง",
"tool": "Burp Suite Enterprise / REST API",
},
"slo_security": {
"name": "Security SLOs",
"description": "กำหนด SLO สำหรับ security metrics",
"examples": ["Critical vulns resolved < 24h", "DAST scan coverage > 90%", "Zero known SQLi/XSS in production"],
},
"incident_response": {
"name": "Security Incident Investigation",
"description": "ใช้ Burp Proxy ตรวจสอบ requests/responses ระหว่าง incident",
"when": "เมื่อสงสัย security breach หรือ anomalous behavior",
},
"chaos_security": {
"name": "Security Chaos Engineering",
"description": "จำลอง attacks เพื่อทดสอบ defense mechanisms",
"when": "Game days, security drills",
},
}
BURP_FEATURES = {
"scanner": {"name": "Active Scanner", "use": "Automated vulnerability scanning (SQLi, XSS, SSRF)"},
"proxy": {"name": "Proxy/Interceptor", "use": "Intercept and modify HTTP requests"},
"repeater": {"name": "Repeater", "use": "Replay and modify requests for manual testing"},
"intruder": {"name": "Intruder", "use": "Automated parameter fuzzing"},
"collaborator": {"name": "Collaborator", "use": "Out-of-band vulnerability detection (SSRF, XXE)"},
"api": {"name": "REST API", "use": "Programmatic control for CI/CD integration"},
}
def show_integration(self):
print("=== SRE Integration Points ===\n")
for key, point in self.INTEGRATION_POINTS.items():
print(f"[{point['name']}]")
print(f" {point['description']}")
if "examples" in point:
for ex in point["examples"][:2]:
print(f" • {ex}")
print()
def show_features(self):
print("=== Burp Suite Pro Features ===")
for key, feature in self.BURP_FEATURES.items():
print(f" [{feature['name']}] {feature['use']}")
burp = BurpSRE()
burp.show_integration()
burp.show_features()Automated Security Scanning
# auto_scan.py — Automated Burp scanning via API
import json
import random
class AutoScan:
BURP_API = """
# burp_scanner.py — Burp Suite REST API integration
import requests
import time
BURP_URL = "http://localhost:1337/v0.1"
class BurpScanner:
def __init__(self, base_url=BURP_URL):
self.base_url = base_url
def start_scan(self, target_url, config="default"):
payload = {
"scan_configurations": [{"name": config, "type": "NamedConfiguration"}],
"urls": [target_url],
}
response = requests.post(f"{self.base_url}/scan", json=payload)
scan_id = response.headers.get("Location", "").split("/")[-1]
print(f"Scan started: {scan_id} → {target_url}")
return scan_id
def get_scan_status(self, scan_id):
response = requests.get(f"{self.base_url}/scan/{scan_id}")
data = response.json()
return {
"status": data.get("scan_status"),
"issues": len(data.get("issue_events", [])),
"audit_items": data.get("scan_metrics", {}).get("audit_items_count", 0),
}
def wait_for_completion(self, scan_id, timeout=3600):
start = time.time()
while time.time() - start < timeout:
status = self.get_scan_status(scan_id)
print(f" Status: {status['status']} | Issues: {status['issues']}")
if status["status"] == "succeeded":
return status
time.sleep(30)
raise TimeoutError("Scan timed out")
def get_issues(self, scan_id):
response = requests.get(f"{self.base_url}/scan/{scan_id}")
data = response.json()
issues = []
for event in data.get("issue_events", []):
issue = event.get("issue", {})
issues.append({
"name": issue.get("name"),
"severity": issue.get("severity"),
"confidence": issue.get("confidence"),
"path": issue.get("path"),
})
return issues
# Usage
scanner = BurpScanner()
scan_id = scanner.start_scan("https://example.com")
result = scanner.wait_for_completion(scan_id)
issues = scanner.get_issues(scan_id)
for issue in issues:
print(f"[{issue['severity']:>8}] {issue['name']} — {issue['path']}")
"""
def show_api(self):
print("=== Burp Suite REST API ===")
print(self.BURP_API[:600])
def scan_results(self):
print(f"\n=== Sample Scan Results ===")
issues = [
{"severity": "HIGH", "name": "SQL Injection", "path": "/api/users?id=1", "confidence": "Certain"},
{"severity": "HIGH", "name": "Cross-site Scripting (Reflected)", "path": "/search?q=test", "confidence": "Firm"},
{"severity": "MEDIUM", "name": "CSRF Token Missing", "path": "/api/transfer", "confidence": "Certain"},
{"severity": "LOW", "name": "Cookie Without HttpOnly", "path": "/login", "confidence": "Certain"},
{"severity": "INFO", "name": "TLS 1.0 Supported", "path": "/", "confidence": "Certain"},
]
for i in issues:
print(f" [{i['severity']:>6}] {i['name']} — {i['path']}")
scan = AutoScan()
scan.show_api()
scan.scan_results()SRE Security SLOs
# slo.py — Security SLOs for SRE
import json
import random
class SecuritySLOs:
SLOS = {
"vuln_resolution": {
"name": "Vulnerability Resolution Time",
"sli": "Time from detection to fix (hours)",
"slo": {"critical": "< 4 hours", "high": "< 24 hours", "medium": "< 7 days", "low": "< 30 days"},
},
"scan_coverage": {
"name": "DAST Scan Coverage",
"sli": "% of endpoints scanned by Burp in last 30 days",
"slo": "> 95% of production endpoints",
},
"zero_critical": {
"name": "Zero Critical Vulns in Production",
"sli": "Count of known critical vulns in production",
"slo": "0 critical vulns at any time",
},
"mttr_security": {
"name": "Security MTTR",
"sli": "Mean time to remediate security issues",
"slo": "< 48 hours for HIGH severity",
},
}
def show_slos(self):
print("=== Security SLOs ===\n")
for key, slo in self.SLOS.items():
print(f"[{slo['name']}]")
print(f" SLI: {slo['sli']}")
if isinstance(slo["slo"], dict):
for sev, target in slo["slo"].items():
print(f" {sev}: {target}")
else:
print(f" SLO: {slo['slo']}")
print()
def dashboard(self):
print("=== Security SLO Dashboard ===")
metrics = [
{"slo": "Vuln Resolution (Critical)", "target": "< 4h", "actual": f"{random.randint(1, 6)}h", "status": random.choice(["MET", "MET", "MISS"])},
{"slo": "DAST Coverage", "target": "> 95%", "actual": f"{random.randint(90, 99)}%", "status": "MET"},
{"slo": "Zero Critical Vulns", "target": "0", "actual": str(random.randint(0, 1)), "status": random.choice(["MET", "MET", "MISS"])},
{"slo": "Security MTTR", "target": "< 48h", "actual": f"{random.randint(12, 60)}h", "status": random.choice(["MET", "MET", "MISS"])},
]
for m in metrics:
print(f" [{m['status']:>4}] {m['slo']:<30} Target: {m['target']:<8} Actual: {m['actual']}")
slo = SecuritySLOs()
slo.show_slos()
slo.dashboard()CI/CD Integration
# cicd.py — Burp Suite in CI/CD pipeline
import json
class CICDIntegration:
PIPELINE = """
# .github/workflows/security-scan.yml
name: Security Scan
on:
pull_request:
push:
branches: [main]
jobs:
burp-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Start Application
run: docker-compose up -d
- name: Wait for app ready
run: |
timeout 60 bash -c 'until curl -s http://localhost:8080/health; do sleep 2; done'
- name: Run Burp Scan
env:
BURP_API_KEY: }
run: |
python3 scripts/burp_scan.py \\
--target http://localhost:8080 \\
--config "Audit checks - all except time-based" \\
--fail-on HIGH
- name: Upload Report
if: always()
uses: actions/upload-artifact@v4
with:
name: burp-scan-report
path: reports/burp-scan-*.html
- name: Check Results
run: |
python3 scripts/check_results.py \\
--max-critical 0 \\
--max-high 0
"""
def show_pipeline(self):
print("=== CI/CD Pipeline ===")
print(self.PIPELINE[:600])
def gate_policy(self):
print(f"\n=== Security Gate Policy ===")
policies = [
{"gate": "PR Merge", "rule": "0 Critical, 0 High vulns"},
{"gate": "Staging Deploy", "rule": "0 Critical vulns, scan coverage > 80%"},
{"gate": "Production Deploy", "rule": "0 Critical/High vulns, full scan < 7 days"},
{"gate": "Weekly Audit", "rule": "All vulns documented, SLOs met"},
]
for p in policies:
print(f" [{p['gate']}] {p['rule']}")
cicd = CICDIntegration()
cicd.show_pipeline()
cicd.gate_policy()Incident Response
# incident.py — Security incident response with Burp
import json
import random
class IncidentResponse:
PLAYBOOK = {
"detection": {
"phase": "1. Detection",
"burp_role": "Burp Collaborator detects SSRF/XXE callbacks",
"actions": ["Check Burp Collaborator for OOB interactions", "Review WAF logs for attack patterns", "Correlate with APM metrics"],
},
"investigation": {
"phase": "2. Investigation",
"burp_role": "Use Burp Proxy to replay suspicious requests",
"actions": ["Replay attack request in Burp Repeater", "Analyze request/response for data leakage", "Test if vulnerability is exploitable"],
},
"containment": {
"phase": "3. Containment",
"burp_role": "Verify WAF rules block the attack",
"actions": ["Deploy WAF rule", "Test bypass attempts with Burp Intruder", "Verify containment effectiveness"],
},
"remediation": {
"phase": "4. Remediation",
"burp_role": "Verify fix eliminates vulnerability",
"actions": ["Deploy code fix", "Re-scan with Burp Scanner", "Confirm vulnerability no longer present"],
},
}
def show_playbook(self):
print("=== Incident Response Playbook ===\n")
for key, phase in self.PLAYBOOK.items():
print(f"[{phase['phase']}]")
print(f" Burp: {phase['burp_role']}")
for action in phase["actions"][:2]:
print(f" • {action}")
print()
def metrics(self):
print("=== Security Incident Metrics ===")
metrics = {
"MTTD (Detect)": f"{random.randint(5, 60)} minutes",
"MTTR (Resolve)": f"{random.randint(1, 24)} hours",
"Incidents this month": random.randint(0, 5),
"False positive rate": f"{random.randint(5, 20)}%",
"Vulns found by Burp": random.randint(10, 50),
}
for m, v in metrics.items():
print(f" {m}: {v}")
ir = IncidentResponse()
ir.show_playbook()
ir.metrics()FAQ - คำถามที่พบบ่อย
Q: Burp Suite Pro กับ OWASP ZAP อันไหนดีสำหรับ SRE?
A: Burp Pro: scanner แม่นยำกว่า, Collaborator สำหรับ OOB vulns, REST API ดี, enterprise features ZAP: ฟรี, open source, CI/CD integration ดี, community active ใช้ Burp Pro: enterprise SRE, ต้องการ accuracy สูง, มีงบ ใช้ ZAP: budget จำกัด, open source preference, basic scanning
Q: Security SLO ตั้งอย่างไร?
A: เริ่มจาก: วัด baseline ก่อน (ปัจจุบัน resolve vulns ใช้เวลาเท่าไหร่?) ตั้ง realistic targets: Critical < 4h, High < 24h, Medium < 7d Review quarterly: ปรับ SLO ตาม team capacity Error budget: เหมือน reliability SLO ถ้า miss SLO → freeze features, focus security
Q: ควรสแกนบ่อยแค่ไหน?
A: ทุก PR/deploy: quick scan (10-15 นาที) สำหรับ critical vulns Weekly: full scan ทุก endpoints Daily: scan ใหม่สำหรับ changed endpoints เลือก scan config ตาม context: lightweight สำหรับ CI, comprehensive สำหรับ weekly
Q: Burp Suite ใช้กับ API-only services ได้ไหม?
A: ได้ดีมาก Import OpenAPI/Swagger spec เป็น scan target Burp Scanner รองรับ REST, GraphQL API testing ใช้ Repeater สำหรับ manual API testing Intruder สำหรับ parameter fuzzing ใน API
