This page is inspired by GitLab’s https://handbook.gitlab.com/handbook/security/product-security/application-security/runbooks/local-setup/.

Rocket.Chat Workspace

It’s important for Application Security Engineers to know how to set up a development environment. AppSec Engineers at Rocket.Chat need to be hands - on, understanding how our code works and how to modify it to fix vulnerabilities or, at the very least, propose fixes.

To better understand Rocket.Chat’s code structure, you can refer to the following documentation: Repository Structure.

After becoming familiar with the repository, the AppSec Engineer can choose to install the environment locally on macOS, Windows, or Linux, or use Gitpod. Instructions for each setup can be found in the Server Environment Setup.

When first setting up your local environment, you will be on the Starter Plan (more information at Rocket.Chat | Pricing for secure team collaboration). If you need to test enterprise-only features, you will need to request an upgrade to the SRE team by providing them with a workspace ID and the reason why you need an enterprise workspace - most of the time it will be for either pentesting such a feature, confirming a vulnerability reported via HackerOne, or confirming that a code change was sufficient to fix a security issue.

Testing Proxy

Application Security Engineers are not Penetration Testers or Offensive Security Engineers, but they may need to perform a penetration test or use a testing proxy to intercept and manipulate requests when reproducing HackerOne issues.

Engineers can choose their favorite proxy, but we recommend Burp Suite or OWASP ZAP.