Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Security Requirement to scan for passwords in Jazz products

 Hi,
My customer has a requirement that they must scan all source code in RTC, requirements in RRC and Test artefacts in RQM for plain text passwords to ensure that someone has not embedded password text into artefacts stored in Jazz. Specifically they want to scan for:
  • Keyword search to find indicators of where a password may be present for keywords such as “password” or “passwd”.
  • Pattern search passwords – this is a regular expression search for all text strings that conform to corporate security standards for valid passwords. 

Has anyone implemented such a requirement before?
If so, how and with what tools ?

Cheers
Adrian

0 votes

Comments

I have seen this mentioned a number of times. the closest RTC thing is the Required Content advisor for Source/Deliver/Server/Phase 2.

it would be a model for creating the RTC advisor you want.
I don't think either of the other products have the extension capability to implement something like this.



One answer

Permanent link
You can use "Full Text Search" to identify most occurrences. That is the text search box in the upper right hand corner of the web UI and it covers all of the primary artifacts.
For QM, this is going to be Plans, Cases, Scripts, Results, Suites, etc. I am not going to claim it's truly exhaustive (e.g. there may be some bits of text not indexed), but it's there already and will hit the majority of instances covering the most likely places where you'd hit SPI slip that you describe.

0 votes

Comments

that will be for one QM or RM  project, right?

Correct - one project area.

You can scope your search to "All Projects" in RRC, but you can't do regex search.  I can't think of any way to do that without using Java.

I think they would want to scope to one project. This customer standardized on Lifecycle projects so it would be nice if you could do all at once (RM, QM and RTC),
but that is wishful thinking.

While the full text search can reveal "password" and "passwd" occurrence, I wonder how it can meet the second requirement? The second requirement basically says that the scanner needs to scan all words in the index/database.
I think it is not that there is a need to query the full text index using regex, but rather, the scanner will match each word it sees with a predefined regex pattern. For example, if the corporate rule requires the password to contain at least one numeric, then the word "bad" is definitely not a password, while "b@d" is potentially a password and an alarm will be raised.

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 7,495

Question asked: May 07 '14, 6:59 a.m.

Question was seen: 6,572 times

Last updated: May 07 '14, 10:16 p.m.

Confirmation Cancel Confirm