Quick Start

There are two options with getting your System(s) under Test:

  • PurpleTeam cloud. All back-end services are set-up and ready to go
  • PurpleTeam local. You set-up everything yourself

Both cloud and local use the same code base.

PurpleTeam cloud (BinaryMist PurpleTeam)

The quickest way to get up and running with having your Web application and/or API under test is to take the PurpleTeam cloud path. At a high level, these steps look like the following:

  1. Obtain a PurpleTeam-Labs cloud account. We set-up and manage everything in the cloud for you. If you decide to take the local path instead, this will be your responsibility
  2. Get the PurpleTeam CLI (purpleteam) on your system and configure it
  3. Create a Job. There are some examples here
  4. Start testing

PurpleTeam CLI can be run manually, driven from your CI, or other builds, to continuously inform you of security regressions in the Web applications and APIs that you are developing. This way you can easily find and fix your defects as they are being introduced.

Follow all directions under cloud.

PurpleTeam local (OWASP PurpleTeam)

If you choose to go the PurpleTeam local path, a non-trivial set-up is required to get up and running.

Follow all directions under local.

Optimal Sequence of Steps

Once you have decided you’re going with local or cloud

  • local - You have been through the Local Set-up, respective README’s, Workflow, the PurpleTeam CLI is ready to run and you have a basic Job file without any routes specified
  • cloud - You have been through the PurpleTeam-Labs induction and signed up for a PurpleTeam-Labs account, the PurpleTeam CLI is ready to run and you have a basic Job file without any routes specified

Additional efforts after that will be mainly focussed on tweaking and modifying your Job files. The general steps will be:

  1. Perform a Test Run using the CLI
  2. Add authentication
  3. Specify some routes to test
  4. Put the CLI into your build pipeline
  5. Add and extend to your existing Job file, there are many additional knobs and levers you can apply and tweak

1. Perform a Test Run using the CLI

With a very basic BrowserApp Job file without any routes specified PurpleTeam will scan from the root of your web application recursively. If you’re starting with scanning your API, you will be using the Api schema and will need to provide the definitions for your API.

2. Add authentication

Many web applications and APIs require the user to authenticate to access various routes and end-points, think of PurpleTeam as another user. There are many different ways this can happen. The easiest approach if possible is to disable as much of the authentication as possible, of course there are many cases where this is not possible though.

PurpleTeam provides a set of default strategies for authenticating to your web applications and APIs. These are discussed further in the Job File documentation. If your authentication scenario is not covered by our current strategies, let us know, strategies are usually easy to add, and can then be specified in your Job file.

3. Specify some routes to test

There are details around this in the Job File documentation. If you are testing an API, then instead of specifying routes you will want to provide the API definitions.

4. Put the CLI into your build pipeline

There are some details in the CLI README, it’s also worth discussing this on one of our Slack channels.

5. Add and extend to your existing Job file

Work through the many possible options in the Job File documentation.

Previous
Next