Talk - Building PurpleTeam (a Security Regression Testing SaaS) - From PoC to Alpha

Let me take you on the journey of trials, errors, and lessons learnt from getting a web app/API security regression testing proof of concept (PoC) to the next stage (alpha release).

In 2019, I gave a talk at OWASP New Zealand Day on a security regression testing PoC I had developed based on developer feedback. Since then, on top of a normal day job, I’ve been working on this project with every spare minute of time.

Let’s walk through the:

• Architecture: How the micro-services hang together and communicate with each other. Design decisions, including backing out of some and redesigning when I got them wrong
• Environments: local: you set-up all the purpleteam micro-services on your own machine or within your network. cloud: all set-up is done for you, just create a job file and run it
• Technologies: Micro-services written in NodeJS. Docker containers. Authentication/authorisation in the cloud. Lambda functions (local and cloud). Redis pub/sub and lists, along with Server Sent Events for messaging. Many AWS services. Terraform and Terragrunt for IaC
• Pressures: The never ending battle of keeping your NodeJS dependencies up to date. Forking/adopting libraries when maintainers disappear. Keeping relationships alive. Keeping yourself alive (eating, sleeping, fitness). Dealing with competitors

We will then discuss the next steps for PurpleTeam, and how you can start using - and contributing to it if it’s missing something you need.