Workshop - Automated Security Regression Testing for Web Apps and APIs with OWASP PurpleTeam

OWASP PurpleTeam is a Developer focussed security regression testing CLI (front-end) and SaaS (back-end) that targets Web Applications and APIs. It’s sweet spot is sitting in build-pipelines. The CLI and SaaS can be run from any Linux platform. PurpleTeam can be run in UI mode with a pretty CUI or headless, informing the Build User in real-time of the testing effort that is taking place in the back-end as the Tester Emissaries security test your system under test (SUT). UI mode is great for getting started so you can see what’s happening in real-time. Headless mode has been designed to be run from your CI, nightly-build pipe-lines. The two modes are easily switchable.

In this workshop (time permitting) you will set-up the back-end components, install and configure the CLI, create your Job file which specifies how to find and test your target system under test (SUT).

No actual tests need to be written. PurpleTeam is smart enough to know how to test your Web Apps and APIs.

What you need up-front

A decent night sleep before. There is a lot to get done in this short period of time!

You will need either a Web Application or API, either reachable from the Internet or locally within a Docker container that you can put into a docker-compose file in the same Docker network as PurpleTeam local, or on the day you can spin up an instance of NodeGoat (or something else as a local Docker container to join the local PurpleTeam docker network). If you decide to use NodeGoat we will provide a docker-compose override file.

If you intend on targeting an application or API on the Internet, you will need to prove you own or are responsible for it, this is non negotiable. You can do this by adding a DNS TXT record “PurpleTeam_SUT” or by adding the same text to the source of your app or API.

Things that you should try and do and/or have set-up before the workshop

These items are just time consuming to set-up and are not specifically PurpleTeam related, so you really should try and have these set-up before the workshop:

Work through the local documentation and the README files of each project, so you are at least familiar with what the steps are going to be. The more you get done before the workshop the more likely you will be to have PurpleTeam security regression testing your target Web app or API by the end of the workshop. You will need the following:

• A Linux laptop or Linux OS
• Docker and docker-compose installed
• Either a SUT (Web app or API) on the Internet to target or a local Web app or API in a Docker container that can be added to the PurpleTeam docker network (usually via docker-compose file override)
• Git (you will be cloning or forking PurpleTeam repos)
• An AWS user with CLI access, policy, credentials configured, AWS CLI, aws-sam-cli installed and configured as per the purpleteam-lambda README. We don’t need to access AWS with the local environment, but you need to have the user set-up as per the README
• (Optional) Recommend having a copy of Zap GUI ready to run on your desktop, using Zap desktop to work through some of the steps that PurpleTeam does, just makes it easier to debug and understand what PurpleTeam is doing