It's all about the answers!

Ask a question

Security Requirement to scan for passwords in Jazz products

Adrian Daniels (6312120) | asked May 07 '14, 6:59 a.m.
My customer has a requirement that they must scan all source code in RTC, requirements in RRC and Test artefacts in RQM for plain text passwords to ensure that someone has not embedded password text into artefacts stored in Jazz. Specifically they want to scan for:
  • Keyword search to find indicators of where a password may be present for keywords such as “password” or “passwd”.
  • Pattern search passwords – this is a regular expression search for all text strings that conform to corporate security standards for valid passwords. 

Has anyone implemented such a requirement before?
If so, how and with what tools ?


sam detweiler commented May 07 '14, 8:26 a.m.

I have seen this mentioned a number of times. the closest RTC thing is the Required Content advisor for Source/Deliver/Server/Phase 2.

it would be a model for creating the RTC advisor you want.
I don't think either of the other products have the extension capability to implement something like this.

One answer

permanent link
John Nason (2.4k1012) | answered May 07 '14, 4:40 p.m.
You can use "Full Text Search" to identify most occurrences. That is the text search box in the upper right hand corner of the web UI and it covers all of the primary artifacts.
For QM, this is going to be Plans, Cases, Scripts, Results, Suites, etc. I am not going to claim it's truly exhaustive (e.g. there may be some bits of text not indexed), but it's there already and will hit the majority of instances covering the most likely places where you'd hit SPI slip that you describe.

sam detweiler commented May 07 '14, 4:44 p.m.

that will be for one QM or RM  project, right?

John Nason commented May 07 '14, 4:45 p.m.

Correct - one project area.

Benjamin Silverman commented May 07 '14, 4:58 p.m.

You can scope your search to "All Projects" in RRC, but you can't do regex search.  I can't think of any way to do that without using Java.

sam detweiler commented May 07 '14, 5:11 p.m.

I think they would want to scope to one project. This customer standardized on Lifecycle projects so it would be nice if you could do all at once (RM, QM and RTC),
but that is wishful thinking.

Donald Nong commented May 07 '14, 10:16 p.m.

While the full text search can reveal "password" and "passwd" occurrence, I wonder how it can meet the second requirement? The second requirement basically says that the scanner needs to scan all words in the index/database.
I think it is not that there is a need to query the full text index using regex, but rather, the scanner will match each word it sees with a predefined regex pattern. For example, if the corporate rule requires the password to contain at least one numeric, then the word "bad" is definitely not a password, while "b@d" is potentially a password and an alarm will be raised.

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.