logo
securityArticlesConferencesPresentations

Purple Teaming with OWASP PurpleTeam

Conference:  OWASP 20th Anniversary Event

2021-09-24

Authors:   Kim Carter

Summary

The presentation discusses the Purple Team approach to cybersecurity and DevOps, which involves collaboration between red and blue teams to improve security testing and remediation.
  • Purple Team approach involves collaboration between red and blue teams
  • Uses automated testing tools and continuous integration to improve security testing and remediation
  • Involves setting up web applications and deploying them using infrastructure as code
  • Provides detailed reports on defects and how to remediate them
  • Offers opportunities for contributors with various skill levels to participate in building the Purple Team framework
The presenter demonstrates how to run a test using the Purple Team CLI, which involves starting Docker stats, Docker compose UI, and SAM local, building and bringing up stage 2 containers, and running the CLI to validate and sanitize job file contents. Docker stats shows the stage 2 containers being brought up, and the CLI provides detailed reports on defects and how to remediate them.

Abstract

Abstract:What is OWASP PurpleTeam?PurpleTeam is a security regression testing CLI and SaaS targeting Web applications and APIs.The CLI is specifically targeted at sitting within your build pipelines but can also be run manually.The SaaS that does the security testing of your applications and/or APIs can be deployed anywhere.Kim will briefly discuss the three-year journey that has brought PurpleTeam from a proof of concept (PoC) to where it is now.An overview of the NodeJS micro-services with a pluggable tester architecture will be provided.Why would I want it in my build pipelines?In this section, Kim will discuss the problem that PurpleTeam solves,along with the cost savings of finding and fixing your application security defects early (as you're introducing them) as opposed to late (weeks months later with external penetration testing) or not at all.OK, I want it, how do we/I set it up?Kim will walk you through all of the components and how to get them set-up and configuredGreat, but what do the workflows look like?Let's walk through the different ways PurpleTeam can be run and utilised, such as:* Running purpleteam standalone (with UI)* Running purpleteam from within your pipelines as a spawned sub process (headless: without UI)* Running all of the PurpleTeam components, including debugging each and every one of them if and when the need arises
Materials:
Tags:
PurpleTeam
regression
testing
Web

Post a comment

Related work

Feedback loop in DevSecOps - mature security process and dev cooperation

Conference:  OWASP 20th Anniversary Event
Authors: Daniel Krasnokucki
2021-09-24

Prow! Leveraging Developer-Centric CI for Your OSS Project!

Conference:  KubeCon + CloudNativeCon Europe 2022
Authors: Nabarun Pal, Arsh Sharma
2022-05-18

Securing Diverse Supply Chains Across Interconnected Systems

Conference:  Cloud Native SecurityCon North America 2023
Authors: Wayne Starr, Aaron Creel

Abusing SAST tools! When scanners do more than just scanning

Conference:  Defcon 29
Authors:
2021-08-01

Lightning Talk: A Component Registry for Kubeflow Pipelines

Conference:  OpenAI + Data Forum 2022
Authors: Christian Kadner
2022-06-23

⚡ Lightning Talk: My First Supply Chain Security Pull Request as a 13-Year-Old

Conference:  Cloud Native SecurityCon North America 2023
Authors: Neil Naveen