Talk - Building purpleteam (a Security Regression Testing SaaS) - From PoC to Alpha


Developers / Engineers know that a build pipeline is an essential part of creating robust and reliable software, but what to put in it? This talk covers the creation of purpleteam from PoC to Alpha release, and why it’s an ideal fit for the security regression testing slot of your build pipeline.

Auckland University, New Zealand

Let me take you on the journey of trials, errors, and lessons learnt from getting a web app/API security regression testing proof of concept (PoC) to the next stage (alpha release).

In 2019, I gave a talk at OWASP New Zealand Day on a security regression testing PoC I had developed based on developer feedback. Since then, on top of a normal day job, I’ve been working on this project with every spare minute of time.

Let’s walk through the:

  • Architecture: How the micro-services hang together and communicate with each other. Design decisions, including backing out of some and redesigning when I got them wrong
  • Environments: local: you set-up all the purpleteam micro-services on your own machine or within your network. cloud: all set-up is done for you, just create a job file and run it
  • Technologies: Micro-services written in NodeJS. Docker containers. Authentication/authorisation in the cloud. Lambda functions (local and cloud). Redis pub/sub and lists, along with Server Sent Events for messaging. Many AWS services. Terraform and Terragrunt for IaC
  • Pressures: The never ending battle of keeping your NodeJS dependencies up to date. Forking/adopting libraries when maintainers disappear. Keeping relationships alive. Keeping yourself alive (eating, sleeping, fitness). Dealing with competitors

We will then discuss the next steps for purpleteam, and how you can start using - and contributing to it if it’s missing something you need.

Kim Carter
Technologist / Engineer, Information Security Professional

Technologist / Engineer, Information Security Professional, Entrepreneur and the founder of BinaryMist Ltd. OWASP NZ Chapter Leader. Certified Scrum Master. Facilitator, mentor and motivator of cross functional, self managing teams. With a solid 20 years of commercial industry experience across many domains.