Security Requirement to scan for passwords in Jazz products
- Keyword search to find indicators of where a password may be present for keywords such as “password” or “passwd”.
- Pattern search passwords – this is a regular expression search for all text strings that conform to corporate security standards for valid passwords.
One answer
For QM, this is going to be Plans, Cases, Scripts, Results, Suites, etc. I am not going to claim it's truly exhaustive (e.g. there may be some bits of text not indexed), but it's there already and will hit the majority of instances covering the most likely places where you'd hit SPI slip that you describe.
Comments
that will be for one QM or RM project, right?
Correct - one project area.
You can scope your search to "All Projects" in RRC, but you can't do regex search. I can't think of any way to do that without using Java.
I think they would want to scope to one project. This customer standardized on Lifecycle projects so it would be nice if you could do all at once (RM, QM and RTC),
but that is wishful thinking.
While the full text search can reveal "password" and "passwd" occurrence, I wonder how it can meet the second requirement? The second requirement basically says that the scanner needs to scan all words in the index/database.
I think it is not that there is a need to query the full text index using regex, but rather, the scanner will match each word it sees with a predefined regex pattern. For example, if the corporate rule requires the password to contain at least one numeric, then the word "bad" is definitely not a password, while "b@d" is potentially a password and an alarm will be raised.
Comments
sam detweiler
May 07 '14, 8:26 a.m.I have seen this mentioned a number of times. the closest RTC thing is the Required Content advisor for Source/Deliver/Server/Phase 2.
it would be a model for creating the RTC advisor you want.
I don't think either of the other products have the extension capability to implement something like this.