Home Case studies About Contact

API scanning in Burp Suite Pro

Problem: In an industry where API’s are being used more frequently, Burp Suite Pro & Enterprise were not effective at scanning them. 


Role: Research, UX/UI Design


Duration: 2 months

Challenges

In Burp Suite Pro and Enterprise, while users have the capability to efficiently scan their web applications, API scanning has historically presented challenges.

Increase in demand for API scanning functionality meant we needed to ensure we were focusing on the right problems to solve early on in the process.

In Burp Suite Pro and Burp Suite Enterprise, enhancing API scanning means improving the tools' ability to find and fix weaknesses in these critical access points, safeguarding sensitive data from cyber threats

User interviews

We worked with stakeholders across the relevant teams to collect what we knew, any assumptions we had and any outstanding questions we still had. We wanted to understand and agree on what we were looking to learn.

From there we wrote an interview script to cover all of the open questions and assumptions we had around API scanning.

For our interviews we reached out to customers we knew had an interest and history of API scanning from Tech Support and Advocate cases.

Defining the problem space

Actions taken:

  • Looked into lost deal cases to understand where our shortfalls were, especially as this was an enterprise heavy feature. 

  • Sought out data of why API scans had failed from the telemetry we collected 

    • Spoke to customers of both Burp Suite Pro and Burp Suite Enterprise to understand their current needs and frustrations.

    Combined research findings

    The summary of the research gave us three key themes to move forward with

    • Top scan failure reasons were strings without example numbers of enumerations, content type not being supported and authentication. 
    • Top user pains were the ability to upload API’s from a definition file, discoverability, coverage and authentication

    We were still unsure of some areas

    • What authentication types users wanted support on, we felt we needed larger numbers to reach significance on knowing what to support

    • Whether users wanted to scan APIs as part of a web application, and if so why.

    To move forward and give stakeholders confidence in our decision making, we sent a survey out to put statistical significance behind some of the user pains.

    From the survey we were able to determine a priority order of what auth we would initially support, and what API definitions we would support. Enabling us to move quickly with our release cadence.

    Ideation

    We ran a workshop with stakeholders to define the user journey map and ideate on how users might use multiple techniques to supply an API and corresponding authentication to scan effectively.

    From here we gathered outstanding questions on the suggested flows and moved into hi fidelity ideation to prototype and user test.

    User testing

    We tested the journey with five Burp Suite Pro participants, using scenario based testing to see if they successfully undertook the task given.

    Whilst measuring task success, we also asked them various questions around expectations, likes and dislikes.

    Overall the testing was successful, with all participants successfully finding where they would scan an API and moving through the process without issue.

    We took on further feedback to enhance the journey, such as additional filters and language clarity.

    What went live

    Feedback and next steps

    API scanning capability was introduced to early adopter channels, we released in phases to deliver value to the customer as quickly as possible and to enable us to gather rapid feedback.

    The initial release was the ability to upload an API definition without authentication. Most popular authentication types followed in the next release.

    I created Grafana telemetry boards to measure the number of scan errors relative to number of scans being run, then planned monthly reports to determine the error type of unsupported feature to help us shape the future roadmap.

    But was it successful?
    In short, yes. Users are now successfully able to scan APIs from uploading a definition file. 
Early release and social feedback has been largely positive.