Skip to content

Security: firebitsbr/PurpleOPS

Security

docs/SECURITY.md

Security Guidelines - PurpleOPS BAS

⚠️ CRITICAL: READ BEFORE USE

This platform is designed for AUTHORIZED TESTING ONLY in controlled laboratory environments. Misuse can result in:

  • Legal consequences
  • Termination of employment
  • Criminal charges
  • Damage to systems and reputation

Authorization Requirements

Before ANY execution:

  1. Written Authorization

    • Obtain signed approval from management
    • Document scope and objectives
    • Define testing window
    • Specify authorized targets

  2. Scope Allowlist

    • CIDR ranges: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
    • Explicit hostnames/IPs only
    • NO production systems
    • NO customer environments without explicit consent

  3. Proof of Authorization

    • Ticket ID (JIRA, ServiceNow, etc.)
    • Email thread with approval
    • Signed authorization form
    • Store in exercise record

  4. Stakeholder Notification

    • Inform Blue Team
    • Notify SOC
    • Alert incident response team
    • Provide contact information

Prohibited Actions

NEVER:

  • ❌ Execute real exploits or malware
  • ❌ Exfiltrate real data
  • ❌ Cause service disruption
  • ❌ Test production environments without explicit approval
  • ❌ Bypass safety guardrails
  • ❌ Modify audit logs
  • ❌ Share credentials outside authorized team
  • ❌ Execute untested scenarios on live systems

Safety Guardrails

Built-in Protections:

  1. Allowlist Enforcement

    • All targets validated against allowlist
    • Automatic rejection of unauthorized targets
    • Cannot be bypassed

  2. Action Blacklist

    • Keywords blocked: exploit, malware, backdoor, ransomware, etc.
    • Automatic action blocking
    • Logged and audited

  3. Approval Workflow

    • Two-person rule (creator + approver)
    • Purple Lead or Admin approval required
    • Cannot self-approve

  4. Audit Trail

    • All actions logged
    • User, timestamp, IP recorded
    • Immutable audit log
    • Regular review required

  5. Timeouts

    • Maximum execution time enforced
    • Automatic stop on timeout
    • Prevents runaway processes

RBAC Permissions

Role Permissions
Admin Full access, user management, delete exercises
Purple Lead Create/approve/execute exercises, view all results
Analyst View exercises and results, no execution
Viewer Read-only access to reports

Secure Deployment

Production Deployment Checklist:

  • Change default passwords
  • Rotate JWT secret
  • Enable HTTPS/TLS
  • Configure firewall rules
  • Enable audit log review
  • Set up monitoring/alerting
  • Review and restrict allowlists
  • Enable MFA for admin accounts
  • Regular security updates
  • Backup database regularly

Docker Security:

  • Non-root users
  • Read-only filesystems
  • Minimal capabilities
  • Resource limits
  • Healthchecks
  • Isolated networks
  • Scan images for vulnerabilities (add to CI/CD)

Incident Response

If something goes wrong:

  1. Immediate Actions

    • Stop all running exercises
    • Notify Blue Team/SOC immediately
    • Document what happened
    • Preserve logs and evidence

  2. Investigation

    • Review audit logs
    • Identify root cause
    • Assess impact
    • Document lessons learned

  3. Remediation

    • Fix any damage caused
    • Update guardrails if needed
    • Improve documentation
    • Retrain team if necessary

  4. Reporting

    • Incident report to management
    • Share findings with team
    • Update runbooks
    • Implement preventive measures

Data Protection

Sensitive Data Handling:

  • Credentials: Store in secrets manager (not in code)
  • API Keys: Environment variables only
  • Logs: Sanitize before export
  • Reports: Encrypt when sharing externally
  • Database: Encrypt at rest (TDE)
  • Backups: Encrypted and access-controlled

Network Segmentation

Required Isolation:

  1. Control Plane (172.20.0.0/24)

    • Management interfaces
    • API/UI access
    • Database connections

  2. Lab Network (172.21.0.0/24)

    • Scenario execution
    • Isolated from production
    • No direct internet access

  3. Production (separate)

    • Never directly accessible
    • Requires additional authorization
    • Strict change control

Legal & Compliance

Compliance Considerations:

  • GDPR: No PII in test data
  • SOC 2: Audit trail maintained
  • ISO 27001: Security controls documented
  • PCI DSS: No cardholder data in tests
  • HIPAA: No PHI in lab environments

Legal Protection:

  • Obtain legal review of authorization forms
  • Insurance coverage for testing activities
  • Clear scope boundaries in contracts
  • Liability limitations documented

Training Requirements

Before Platform Access:

  • Complete security awareness training
  • Read and sign AUP (Acceptable Use Policy)
  • Complete hands-on lab training
  • Shadow experienced team member
  • Pass knowledge check
  • Annual refresher training

Reporting Security Issues

Found a vulnerability?

  1. DO NOT exploit it
  2. Document the finding
  3. Report to: security@purpleops.local
  4. Include: description, steps to reproduce, potential impact
  5. Allow time for remediation before public disclosure

Emergency Contacts

Acknowledgment

By using this platform, you acknowledge:

✓ I have read and understood these security guidelines
✓ I will only use this platform with proper authorization
✓ I understand the legal and professional consequences of misuse
✓ I will report any security issues or incidents immediately
✓ I will protect credentials and sensitive information

Last Updated: January 6, 2026
Review Frequency: Quarterly
Next Review: April 6, 2026

There aren’t any published security advisories