Quick Start

There are two options with getting your System(s) under Test:

  • PurpleTeam cloud. All back-end services are set-up and ready to go
  • PurpleTeam local. You set-up everything yourself

Both cloud and local use the same code base.

PurpleTeam cloud (BinaryMist PurpleTeam)

The quickest way to get up and running with having your Web application and/or API under test is to take the PurpleTeam cloud path. At a high level, these steps look like the following:

  1. Obtain a PurpleTeam-Labs cloud account. We set-up and manage everything in the cloud for you. If you decide to take the local path instead, this will be your responsibility
  2. Get the PurpleTeam CLI (purpleteam) on your system and configure it
  3. Create a Job. There are some examples here
  4. Start testing

PurpleTeam CLI can be run manually, driven from your CI, or other builds, to continuously inform you of security regressions in the Web applications and APIs that you are developing. This way you can easily find and fix your defects as they are being introduced.

Follow all directions under cloud.

PurpleTeam local (OWASP PurpleTeam)

If you choose to go the PurpleTeam local path, a non-trivial set-up is required to get up and running.

Follow all directions under local.

Optimal Sequence of Steps

Once you have decided you’re going with local or cloud

  • local - You have been through the Local Set-up, respective README’s, Workflow, the PurpleTeam CLI is ready to run and you have a basic Job file without any routes specified
  • cloud - You have been through the PurpleTeam-Labs induction and signed up for a PurpleTeam-Labs account, the PurpleTeam CLI is ready to run and you have a basic Job file without any routes specified

Additional efforts after that will be mainly focussed on tweaking and modifying your Job files. The general steps will be the following but not necessarily in this order:

  1. Perform a Test Run using the CLI
  2. Add authentication if your System Under Test (SUT) requires it
  3. Specify some routes to test
  4. Put the CLI into your build pipeline
  5. Add and extend to your existing Job file, there are many additional knobs and levers you can apply and tweak

1. Perform a Test Run using the CLI

With a very basic BrowserApp Job file without any routes specified PurpleTeam will scan from the root of your web application recursively. If you’re starting with scanning your API, you will be using the Api schema and will need to provide the definitions for your API.

2. Add authentication if your SUT requires it

Many web applications and APIs require the user to authenticate to access various routes and end-points, think of PurpleTeam as another user. There are many different ways this can happen. The easiest approach if possible is to disable as much of the authentication as possible in order to test your application or APIs core functionality, of course there are many cases where this is not possible.

The PurpleTeam App Tester provides a set of default strategies for authenticating to your web applications and APIs. These are discussed further in the Job File documentation. If your authentication scenario is not currently covered by our current set of strategies, you can add or modify code to cover your scenario, strategies are usually not too difficult to add, and can then be specified in your Job file.

Next Steps provides more detail around authenticated scanning.

3. Specify some routes to test

This only applies if your System Under Test (SUT) is a BrowserApp.

There are details around this in the BrowserApp Job File documentation. If you are testing an API, then you have already provided your API definition in your Api Job file.

4. Put the CLI into your build pipeline

There are some details in the CLI README, it’s also worth discussing this on one of our Slack channels.

5. Add and extend to your existing Job file

Work through the many possible options in the Job (BrowserApp or Api) File documentation.

Previous
Next