Notice ID: BurpSuiteTools_2023
Description
ACF Tech currently supports a cloud based General Support System (GSS) in the AWS commercial cloud. This legacy environment is not built to support the functional, operational and security requirements needed to properly manage and secure modern applications. The Next Generation Secure Cloud (NGSC) initiative builds a new, robust and secure AWS based GSS environment, to support current and future ACF needs. NGSC has been built using modern cloud architecture practices and will leverage state of the art monitoring, management, and automation tools.
OBJECTIVE
ACF Tech requires an ACF Tech controlled and maintained Dynamic Application Scanning (DAST) and web application Penetration Testing (PEN Test) tools to comply with Federal Mandate OMB M-21-31, as well as support compliance with Executive Order 14028 for the adoption of Zero Trust Architectures. These tools must provide:
- Scan Scheduling
- Scans for OWASP TOP 10 weaknesses
- Supports credentialed scans
- Supports multiple types of Web Applications
- Drupal
- PHP
- .Net
- XML
- HTML5
Without ACF Tech controlled and maintained Dynamic Application Scanning DAST and Web Application PEN Testing tools, ACF systems and data are at risk. ACF Tech has been reliant on HHS resources to run scans for ACF Tech, and this process is not efficient. ACF Tech selected Burp Suite Enterprise and BurpeSuite Professional, as market leading security tools, to deploy in support of NGSC and other legacy ACF environments. Burp Suite tools use an advanced crawling algorithms to build target profiles in a similar way to a tester. They are designed to handle dynamic content, unstable internet connections, many API definitions, and the vast scale of modern web applications. It will provide ACF Tech visibility into its web-based security posture.
Key features of these Burp Suite tools are:
- Enterprise level UI for management
- Authenticated scanning
- Scheduled scanning
- Very low level of false positives
