Invitation to work on purpleteam
Kim Carter
Hi Zap Dev Community.
I've been working on purpleteam for a few years. It's now at the alpha stage in both local and cloud. Purpleteam is a web security regression testing SaaS. The open source code can be found here: (https://github.com/purpleteam-labs). You'll always be able to find a link to it from https://purpleteam-labs.com/
The local environment is completely free and open. The cloud environment uses all the open source code plus an infrastructure as code (IaC) project to set everything up in the cloud.
The local environment can be set-up locally on a machine or within some arbitrary network of your choosing at no monetary (just time) cost.
The cloud environment costs, as all the set-up work is done via IaC (the cost involved is from running the infrastructure). The CLI (https://github.com/purpleteam-labs/purpleteam) is free and open. In this case, all the Build User has to do is create a Job (examples here: https://github.com/purpleteam-labs/purpleteam/tree/main/testResources/jobs) and fire it at the AWS API Gateway to pass to the orchestrator to start running everything.
The CLI initiates all testing in the back-end and can be consumed by your Dev Team build scripts/tools (CI/CD), and/or run manually.
Purpleteam uses a pluggable micro-service architecture (all in NodeJS). By pluggable I mean anyone (Developers) can create additional Testers. Currently the only fully implemented Tester (app-scanner: https://github.com/purpleteam-labs/purpleteam-app-scanner) uses Zap as it's emissary.
In terms of tech, we use:
- Server Sent Events (SSE)(AKA: EventSource) for tester progress messages from the orchestrator to the CLI, and Long Polling in AWS, as AWS API Gateway doesn't support streaming APIs and our authn isn't supported by AWS API Gateway WebSocket APIs. We may change to WebSockets in the future if there's a compelling reason to rework our API Gateway and authn IaC. Currently it's fine. More details here (https://github.com/purpleteam-labs/purpleteam#configuration)
- Redis pub/sub (used with SSEs) and also Redis lists (used with long polling (LP), which makes for more reliable messaging of tester events from the orchestrator to the CLI)
- AWS Lambda functions to start/stop the stage 2 containers (https://github.com/purpleteam-labs/purpleteam-s2-containers). This works locally via sam cli and in the cloud via AWS Lambda. The stage 2 containers are specified by docker-compose.yml files for local and EC2 definitions for the cloud. Locally we use docker-compose-ui to host a service that our lambda functions talk to
- The system under test I've been using is NodeGoat, I use this project (https://github.com/purpleteam-labs/purpleteam-iac-sut) to start/stop/reset the SUT. purpleteam-iac-sut is also created to take any web app in a container and spin it up in AWS immediately
- Lots of AWS services for the cloud (paid for offering) environment
- Lots of stuff that escapes me right now
The open docs are currently here: https://github.com/purpleteam-labs/purpleteam-doc . We will be moving these to a proper docs site soon and extending on them. There are more docs (closed) for the development of the cloud environment.
Please pass this on to who ever you think may be interested in coming on board to help contribute toward develop purpleteam? Please shout out if you have any questions (either here or at https://github.com/purpleteam-labs/purpleteam/discussions)? Rough and (possibly not) ready landing page for purpleteam is here: https://purpleteam-labs.com/
Thanks muchly!
