binarymist
commented
3 years ago Hi @jilleJr
PurpleTeam is supposed to augment red teams. Red teams are usually applied near the end of a development project, where as PurpleTeam runs against your web apps/apis as youre developing them. This is the cheapest place to find and fix security defects. 15+ x cheaper in-fact.
Some details I wrote on the topic before creating PurpleTeam: https://f0.holisticinfosecforwebdevelopers.com/chap06.html#leanpub-auto-cheapest-place-to-deal-with-defects BTW, that book series is free to read on-line
This talk explains the rational: https://speakerdeck.com/binarymist/security-regression-testing-on-owasp-zap-node-api
Have a look at this video walk-through of PurpleTeam in action: https://purpleteam-labs.com/project/video-pt-full-system-run-2021/
Give me a yell if you need any help. Docs here: https://purpleteam-labs.com/doc/
As we don't have dedicated red teams trying to penetrate Wharf, we should add automatic DAST (Dynamic Application Security Testing) integrated into our CI pipeline.
This needs investigation, but one proposal that comes to mind is OWASP PurpleTeam (developed partly by some folks from OWASP https://owasp.org/) that tries to apply common and uncommon security flaws on an HTTP API. Language agnostic, but you need to supply it a list of endpoints, which we already got via Swaggo. They allow you to self-host for free, which we could set up quite easily I think.
PurpleTeam does not substitute real red teams, but it is better than nothing.
Maybe the security design of Wharf is too bad in its current state to even consider this. But we should consider it once the RFC https://github.com/iver-wharf/rfcs/pull/13 has been implemented.