Customer case study

Caner Filibelioglu - SabancıDx

A sysadmin turned red team leader talks Burp Suite.

SabanciDx logo

Introduction

Caner Filibelioglu is a penetration tester and red team leader at SabancıDx. As a tech-focused subsidiary of the Sabancı group, SabancıDx aims to carry businesses into the future, through the innovative use of digital ideas and technology.

As one of Turkey's largest conglomerates, the Sabancı portfolio includes some of the country's largest financial and industrial interests. SabancıDx serves a range of customers, both internal and external.

Key benefits

Caner identified a number of key benefits SabancıDx gains by using Burp Suite Professional:

Burp Suite at SabancıDx

Caner's red team engagements almost always begin with social engineering. But when this fails - as it often can in today's increasingly security mature world - he begins to probe target web applications for vulnerabilities. For this, he makes heavy use of Burp Suite.

As a red team leader, Caner is an experienced Burp Suite user - and in his hands it's a potent weapon. He enjoys the fact that Burp Suite is continuously improving - where many of its competitors lag behind. This, he says, is important in a world where apps are getting smarter day by day. He's a particular fan of Burp Scanner's browser-driven scanning feature, which cuts through the modern JavaScript-heavy applications many other scanners struggle with.

DevSecOps, and the Burp Suite Enterprise Edition difference

With more than 20 companies under its roof, the Sabancı group has hundreds of web applications to protect. But in Caner's opinion, simply testing the security of a web application after its release is no longer sufficient for best practice. Nowadays, he says, the security process should really begin in development itself. This approach is often called DevSecOps.

Caner talks about how SabancıDx is improving security using a DevSecOps approach. He sees Burp Suite Enterprise Edition as key to this - allowing SabancıDx to replace other, less capable scanning products. Burp Suite Enterprise Edition will allow Caner to integrate the Burp Scanner he knows and trusts into SabancıDx's DevSecOps processes and dashboards.

The DevSecOps approach provides developers with the insights and advice they need to write secure code, starting on day one of a project. This in turn means that fewer vulnerabilities are ever released into the wild. While this leaves less "low-hanging fruit" for pentesters like Caner to exploit, it does provide them with more time to carry out advanced testing. Consequently, security tends to show an overall improvement.

From redshifts to red teaming

There's really no such thing as a "traditional route" into cybersecurity. It's interesting to note that Caner grew up wanting to be a scientist - specifically in the field of physics. In the end, that wasn't to be. But growing up, he also had a love of gaming. This fed an interest in computers, and the rest, as they say, is history.

Fast forward a few years, and Caner found himself working as a Linux sysadmin at İnnoveraBT (he has around 15 years of experience working with Debian). Caner's boss and mentor at this point, Burak Dayioglu, recognized his potential, and began to hand him cybersecurity projects to work on. And that's when he discovered pentesting.

For Caner, this was a "love at first sight" situation. Then, when he discovered bug bounty hunting and realized he could make money doing cybersecurity in his spare time, things really took off. Nowadays, Caner has a wealth of experience to draw on. And in the world of red teaming - where you're never quite sure what you're going to find on an engagement - that breadth of knowledge is incredibly useful.

Red teaming seems to suit Caner's background well. With its emphasis on deep technical knowledge, as well as on victory over the "opposing" team, it plays to both his love of science, and to the competitive streak you can find in many gamers.

Caner Filibelioglu - SabancıDx

Why SabancıDx loves PortSwigger

We've already mentioned that Caner appreciates Burp Suite's continuous improvement cycles, especially when compared to its competitors. But this isn't the only thing that stands out to him about PortSwigger. Another major plus for Caner is PortSwigger's focus on education and development in the cybersecurity sector.

Here, Caner specifically calls out the Web Security Academy. As a web security expert, he recognizes the need to keep up with the latest developments and research. This isn't always an easy thing to do, but he appreciates how the Web Security Academy enables the process, while giving back to the Burp Suite user community with free and accessible training.

Useful features

Before he discovered Burp Suite Professional, Caner used Burp Suite Community Edition for a long time. In the end, it was the speed of Burp Suite Professional that won him over - specifically its unthrottled version of Burp Intruder. He's never looked back since.

When asked, Caner also rated the PortSwigger team and Burp Suite's huge user community as "very important" in his decision to choose our software. He also stated that Burp Scanner's ability to detect the latest vulnerability types discovered by PortSwigger Research is "critical" to his ability to catch vulnerabilities that he can't with other tools.

When it comes to the type of manual work required at the top level of penetration testing, Burp Suite Professional just gives you more options. And one of the ways it does this is by saving you time. Burp Scanner is capable of automating much of your testing. This gives you more time to go after trickier vulnerabilities like business logic flaws that take a human eye to spot.

SabancıDx favorites

Caner identified a number of Burp Suite features that are key to SabancıDx's work:

In summary

Caner and SabancıDx use Burp Suite Professional at a high level. They protect some of Turkey's most important business interests. Caner agreed with the following statements:

About Burp Suite Professional

Burp Suite Professional is an advanced set of tools for testing web security - all within a single product. From a basic intercepting proxy to a cutting-edge vulnerability scanner, with Burp Suite Pro, the right tool is never more than a click away.