Security Requirement to scan for passwords in Jazz products
Hi,
My customer has a requirement that they must scan all source code in RTC, requirements in RRC and Test artefacts in RQM for plain text passwords to ensure that someone has not embedded password text into artefacts stored in Jazz. Specifically they want to scan for:
Has anyone implemented such a requirement before?
If so, how and with what tools ?
Cheers
Adrian
|
One answer
You can use "Full Text Search" to identify most occurrences. That is the text search box in the upper right hand corner of the web UI and it covers all of the primary artifacts.
For QM, this is going to be Plans, Cases, Scripts, Results, Suites, etc. I am not going to claim it's truly exhaustive (e.g. there may be some bits of text not indexed), but it's there already and will hit the majority of instances covering the most likely places where you'd hit SPI slip that you describe. Comments
sam detweiler
commented May 07 '14, 4:44 p.m.
that will be for one QM or RM project, right?
Correct - one project area.
Benjamin Silverman
commented May 07 '14, 4:58 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
You can scope your search to "All Projects" in RRC, but you can't do regex search. I can't think of any way to do that without using Java.
sam detweiler
commented May 07 '14, 5:11 p.m.
I think they would want to scope to one project. This customer standardized on Lifecycle projects so it would be nice if you could do all at once (RM, QM and RTC),
Donald Nong
commented May 07 '14, 10:16 p.m.
While the full text search can reveal "password" and "passwd" occurrence, I wonder how it can meet the second requirement? The second requirement basically says that the scanner needs to scan all words in the index/database.
|
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.
Comments
I have seen this mentioned a number of times. the closest RTC thing is the Required Content advisor for Source/Deliver/Server/Phase 2.
it would be a model for creating the RTC advisor you want.
I don't think either of the other products have the extension capability to implement something like this.