Customer case study

Key benefits

Leanne identified a number of key benefits that Shopify gains by using Burp Suite Enterprise Edition:

• Burp Suite Enterprise Edition enables Shopify to automate dynamic web application security testing across thousands of partner applications.

• Burp Suite Enterprise Edition can find common web security vulnerabilities like cross-site request forgery (CSRF) and cross-site scripting (XSS).

• Shopify's AppSec team was already familiar with using Burp Suite Professional for manual security testing, so automating with Burp Suite Enterprise Edition was a natural progression.

How is Shopify using Burp Suite Enterprise Edition?

In the case of third-party applications, a major part of Shopify's testing regime involves checking for common web security vulnerabilities such as CSRF and XSS. Shopify carries out such testing as a matter of course for all partner applications.

As its AppSec testing needs have grown, Shopify has moved away from a manual security testing model, toward increased automation when reviewing partner applications. When it comes to automating vulnerability checks like the ones above, Shopify chose a cloud-based implementation of Burp Suite Enterprise Edition.

Shopify's AppSec team uses its own custom Ruby application to carry out a number of security tests (such as SSL validation, HMAC verifications, port scanning, etc.) - and Burp Suite Enterprise Edition works within this infrastructure. So, when an automated third-party application security review is started, Shopify's application also initializes a Burp Suite Enterprise Edition scan.

Why did Shopify choose Burp Suite Enterprise Edition over other automated web vulnerability scanners?

Shopify's Application Security team is continually adapting to meet new challenges, and it uses forward-thinking strategies like bug bounty programs to ensure that those challenges are met.

When it came to selecting a web vulnerability scanner to use in its automated third party application security reviews, they tested multiple products - including Burp Suite Enterprise Edition. Following their tests, Shopify found that Burp Suite Enterprise Edition met its needs the most. Shopify also benefits from the fact that most of its AppSec engineers were existing users of Burp Suite Professional (having used it for manual testing) - meaning that they were already familiar with the Burp Suite ecosystem.

Because third party Shopify applications are written and hosted by developers outside Shopify, Shopify cannot utilize a static (SAST) approach (where a scanner reviews application source code). Burp Suite Enterprise Edition's dynamic (DAST)-based approach instead views an application from the outside (just as an attacker would), and can be very effective in this situation.

See Leanne discuss Shopify's use of Burp Suite Enterprise Edition, in a PortSwigger/HackerOne webinar.

For more information on the scanning technologies used in Burp Suite software, please see our Burp Scanner page.

About Burp Suite Enterprise Edition

Burp Suite Enterprise Edition is the enterprise-enabled web vulnerability scanner that lets you scan it all. Secure your whole web portfolio, catch critical bugs before code gets shipped, and unleash AppSec's expertise to supercharge engineering.