Let’s get your Web Apps and APIs under security regression testing with OWASP PurpleTeam. In this workshop you will bring the Web app and/or API that you and/or your Development Team are working on and we will help you setup PurpleTeam local on your laptop or infrastructure to test your App or API
OWASP PurpleTeam is a Developer focussed security regression testing CLI (front-end) and SaaS (back-end) that targets Web Applications and APIs. It’s sweet spot is sitting in build-pipelines. The CLI and SaaS can be run from any Linux platform. PurpleTeam can be run in UI mode with a pretty CUI or headless, informing the Build User in real-time of the testing effort that is taking place in the back-end as the Tester Emissaries security test your system under test (SUT). UI mode is great for getting started so you can see what’s happening in real-time. Headless mode has been designed to be run from your CI, nightly-build pipe-lines. The two modes are easily switchable.
In this workshop (time permitting) you will set-up the back-end components, install and configure the CLI, create your Job file which specifies how to find and test your target system under test (SUT).
No actual tests need to be written. PurpleTeam is smart enough to know how to test your Web Apps and APIs.
A decent night sleep before. There is a lot to get done in this short period of time!
You will need either a Web Application or API, either reachable from the Internet or locally within a Docker container that you can put into a docker-compose file in the same Docker network as PurpleTeam
local, or on the day you can spin up an instance of NodeGoat (or something else as a local Docker container to join the local PurpleTeam docker network). If you decide to use NodeGoat we will provide a docker-compose override file.
If you intend on targeting an application or API on the Internet, you will need to prove you own or are responsible for it, this is non negotiable. You can do this by adding a DNS TXT record “PurpleTeam_SUT” or by adding the same text to the source of your app or API.
These items are just time consuming to set-up and are not specifically PurpleTeam related, so you really should try and have these set-up before the workshop:
Work through the local documentation and the README files of each project, so you are at least familiar with what the steps are going to be. The more you get done before the workshop the more likely you will be to have PurpleTeam security regression testing your target Web app or API by the end of the workshop. You will need the following:
localenvironment, but you need to have the user set-up as per the README