Join 34,000+ subscribers and receive articles from our blog about software quality, testing, QA and security.
 

What is the security around the custom password field?

#1

http://docs.gurock.com/testrail-integration/defects-plugins-variables

We have Rally integration set up. We have two variables, rallyuser and rallypass. I go from there to My Settings, and I enter my Rally username and password.

How is my password secured?

0 Likes

#2

Hello Christina,

Thanks for your posting. User/defect variables of type Password are stored encrypted in the database using AES encryption. The same is true for the fallback value of the user/defect variable (which you can configure when adding/editing the field under Administration > Integration). The values are also not exposed via the user interface in any way (e.g. when editing the field under My Settings or fallback under Administration > Integration).

TestRail needs to store the integration passwords in a way that they can be restored again, as Rally requires the password to be submitted for the API authentication. TestRail stores its own passwords as salted hashes only of course.

Regards,
Tobias

0 Likes

#3

Hooray, thank you!

0 Likes

#4

You are welcome, Christina!

Regards,
Tobias

0 Likes

#5

This is a security violation.

0 Likes

#6

Hi Al,

Thanks for the post! Could you clarify this security violation or email us at contact@gurock.com so we can review this in greater detail?

Thanks,
Jon

0 Likes

#7

It is generally known among programmers that you never store passwords, even encrypted. No operating system does; it hashes the passwords and store only the hashes which cannot be used to derive the password. I guarantee you the Testrail developers know this already. We noticed that you encrypt the Jira passwords in the DB, but the key is most likely in the code somewhere and a decent hacker could find it. There are no clever ways to do this. You should just implement OAuth or one of the many other established secure ways to integrate Testrail with Jira/Rally/etc…

0 Likes