I’m currently a manual software tester looking to “shift left” into a broader QA engineering role. I’m exploring tools that could expand my skill set, and Burp Suite caught my attention.
Would learning Burp Suite be a worthwhile investment for someone in QA, or is it typically reserved for dedicated security roles? Have others here used it as part of their QA workflow, and if so, how did it fit into your day-to-day testing responsibilities?
I’d love to hear your experiences and advice on where Burp Suite fits within the QA landscape.
For many the use of burp suite and security testing epitomizes manual testing and it’s a good tool to start with to gain that slightly better understand of what manual testing can be all about.
Lets start by flagging its a powerful tool with a lot of features, one of my colleagues used the pro version but he specialises in security testing whilst I do not and I have not found the need yet for the pro versions potentially due to having him their for that deeper stuff.
For while I used it a lot often to do things that other tools also did but it fitted my setup at the time. This usage was not so much penetration testing but more general testing which may be worth doing as a starting point to get use to the tool before starting to look at the scanners.
Network traffic monitoring and debugging, - as mentioned other tools do this but it was my main usage.
Burp repeater - again extending the traffic with interception, changes and replay allows for experiments and investigation. There was also elements like authentication and cookie control.
I tend to do local builds these days and that reduced my usage for those above basics.
Portswigger provides really good training to go deeper, I found these exercises tough but very good.
I flag this as being a great example of what hands on testing should be all about, technical investigations of risk using whatever tools match the risk being investigated. Security testing re-emphasises the technical and investigative side of hands on testing so its a good one, so you are not really transitioning from manual testing but potentially going deeper and more technical into it.
Burp and the similar is one way to broaden oneself as a manual tester.
Another one is Automation. Myself not too interested in programming (know it on a university project level but have not done much programming during 30 ys in the sw business), AI does change this massively in many ways. Not what you were asking for, but I saw that “expand my skill set”… just saying.
Thanks so much for this thoughtful reply, it really helped me reframe things. I’d been thinking of “shifting left” mostly in terms of automation and pipelines, but your perspective reminded me that there’s a whole technical side of manual testing I’ve barely scratched. Burp Suite feels like a great way to deepen that investigative mindset.
My company does use third-party penetration testers for formal security audits, but I’m keen to use Burp Suite more for general bug hunting,
Also, thanks for flagging the PortSwigger training. I’ll definitely be diving into that, sounds like a solid way to stretch my skills.
Appreciate you taking the time to share your experience.
Thanks for your reply, and for the reminder to keep exploring automation. It’s interesting to see how AI might help leapfrog some of the trickier parts, especially for those of us who didn’t get to study programming in depth. I still think coding skills are crucial, but maybe AI will reshape how we learn and even how we write code in the future.
Agree to most, but I would like to ponder a little on that programming part. Because I think there is a not so slight difference in a good programming brain and a good tester brain. I did indeed study programming in depth, the most advanced computer centered Civ Ing in the later 80’s, being a young guy not sure about oneself and what one ought to do.
I do not have love for programming a such even if I know it, and this goes over to maths, fiddling with tech things at home and in discussions. I am good at it but details and complexity as such is not what rocks my boat. Its to understand systems, to solve problems(even if it takes knowing details), and generally looking at things from above. I do see this in a lot of troubleshooter level testers I’ve worked with over the years. Many of us go on to have pretty nice managerial and leadership careers, I did too even if I went back to what I like most wanting to end my career having fun.
There IS - especially among some not so technical managers the idea that there are “developers”, that every technician should be a good programmer too, but it takes a lot more that good programming skills to make a computer thing flying.
Testing SW you do of course have to be familiar with code, even be a pretty decent programmer, but what AI does to automation for us that do have a strong testing brain is to make it happen. I love automation these days, I used to hate it just 5 ys ago. And automation code is not the same as senior programmer code, and unless one do not have the programming bug in oneself there is no need to strive for excellence in “automation programming”.
I’d say it depends on your inclination for where you want your career to go, however a lot of engineering orgs will have a dedicated security specialist or use dedicated pen testers. Knowing a DAST (Dynamic Application Security Testing) tool like OWasp Zap or Burp can help you push security testing left… but might not make the biggest impact.
I find that I get a lot more use out of being able to run performance testing at the API layer (Postman or K6 are good tools for that) with teams. Performance testing comes up more frequently than security vulnerability scanning.
Or…. if security is really your bag. I’d invest some time into learning threat modelling as a way to shift security testing left at the design stage. That’s a really useful skill to have!
Interesting, I hadn’t come across “Civ Ing” before. That’s the Swedish Civilingenjör, right?
Slightly off-topic perhaps, but it sparked something for me. I often wrestle with understanding how I’m wired. I love detail, but like you, I’m not drawn to programming. What really energizes me is seeing the whole picture, the system as a whole, not just the code.
I’m an INFJ on the Myers-Briggs, so that blend of structure and intuition can be a bit confusing. I don’t think I’m wired logically enough to thrive as a coder, but I do enjoy solving problems and making sense of complexity from a higher level.
I recently watched a video by Vinh Giang about Red, Blue, Yellow, and Green personality types. I’ve no idea which one I am! Here’s the link if you’re curious:
Vinh Giang – Communication Styles
Lots of food for thought about direction and fit. Right now, I’m really enjoying my job, so I’m focusing on skill expansion within my current company, which helps narrow things down a bit.
Thanks for the advice, that’s really helpful. I’ve been wondering how useful it would be to pursue security testing in my current role, and your perspective helps frame that more clearly.
I agree that performance testing skills could be a great asset in my day-to-day work. Processing speed is critical, and I’m especially interested in gathering meaningful metrics in areas where there’s a general sense that things are slowing down, but no hard data to back it up.
I’ve been learning Postman, though I suspect I’ll hit some limitations with the free version when it comes to performance testing. I haven’t explored K6 yet, that might be the next step. Either way, I may need to look into budget options for paid tools.
Really appreciate the clarity, this helped me narrow things down and focus my next steps.
Vinh Giang – Communication Styles