There are two options with getting your System(s) under Test:
cloud. All back-end services are set-up and ready to go
local. You set-up everything yourself
local use the same code base.
cloud (BinaryMist PurpleTeam)
The quickest way to get up and running with having your Web application and/or API under test is to take the PurpleTeam
cloud path. At a high level, these steps look like the following:
- Obtain a PurpleTeam-Labs
cloudaccount. We set-up and manage everything in the cloud for you. If you decide to take the
localpath instead, this will be your responsibility
- Get the PurpleTeam CLI (purpleteam) on your system and configure it
- Create a Job. There are some examples here
- Start testing
PurpleTeam CLI can be run manually, driven from your CI, or other builds, to continuously inform you of security regressions in the Web applications and APIs that you are developing. This way you can easily find and fix your defects as they are being introduced.
Follow all directions under
local (OWASP PurpleTeam)
If you choose to go the PurpleTeam
local path, a non-trivial set-up is required to get up and running.
Follow all directions under
Optimal Sequence of Steps
Once you have decided you’re going with
local- You have been through the Local Set-up, respective README’s, Workflow, the PurpleTeam CLI is ready to run and you have a basic Job file without any routes specified
cloud- You have been through the PurpleTeam-Labs induction and signed up for a PurpleTeam-Labs account, the PurpleTeam CLI is ready to run and you have a basic Job file without any routes specified
Additional efforts after that will be mainly focussed on tweaking and modifying your Job files. The general steps will be the following but not necessarily in this order:
- Perform a Test Run using the CLI
- Add authentication if your System Under Test (SUT) requires it
- Specify some routes to test
- Put the CLI into your build pipeline
- Add and extend to your existing Job file, there are many additional knobs and levers you can apply and tweak
1. Perform a Test Run using the CLI
With a very basic
BrowserApp Job file without any routes specified PurpleTeam will scan from the root of your web application recursively.
If you’re starting with scanning your API, you will be using the
Api schema and will need to provide the definitions for your API.
2. Add authentication if your SUT requires it
Many web applications and APIs require the user to authenticate to access various routes and end-points, think of PurpleTeam as another user. There are many different ways this can happen. The easiest approach if possible is to disable as much of the authentication as possible in order to test your application or APIs core functionality, of course there are many cases where this is not possible.
The PurpleTeam App Tester provides a set of default strategies for authenticating to your web applications and APIs. These are discussed further in the Job File documentation. If your authentication scenario is not currently covered by our current set of strategies, you can add or modify code to cover your scenario, strategies are usually not too difficult to add, and can then be specified in your Job file.
Next Steps provides more detail around authenticated scanning.
3. Specify some routes to test
This only applies if your System Under Test (SUT) is a
There are details around this in the
BrowserApp Job File documentation. If you are testing an API, then you have already provided your API definition in your
Api Job file.
4. Put the CLI into your build pipeline
There are some details in the CLI README, it’s also worth discussing this on one of our Slack channels.
5. Add and extend to your existing Job file
Work through the many possible options in the Job (
Api) File documentation.