Integrated Password Encryption
I realize uservoice suggestions regarding password encryption have been reviewed and declined in the past. I'm proposing something a bit different.
Back when I was using Quick Test Professional, they had a little password encryption tool where you could run your password through and use the output string in a set secure method during automation.
I'd like to see a similar integration in Ranorex. I could build something out myself, but the encryption keys would be either be in the code base or I'd have to distribute dll files.
Ranorex is in a better position to provide this relatively simple functionality.
The process flow would go something like this:
1) User encrypts the password using a utility provided by Ranorex
2) The output of the encryption utility would be stored as plain text just like any other data elements.
3) Ranorex would provide a "setSecure" method that would place the decrypted value in the target input object.
Such functionality would allow me to meet the security requirements set forth by my organization which is basically to NOT store plain text passwords in unsecured locations like test cases.
I think this might also meet the general needs of other users who have suggested similar ideas.
The problem with this is that – at some point in time – Ranorex will definitely need the plain text value, because it has to use this value to do some action. If the value is encrypted, Ranorex will have to decrypt it. For this it needs a key. Either this key is saved (again, in plain text) or it requires a user interaction (a password), which defeats the purpose of an automated test.
If there are several actions that require this encrypted value, this password is required every single time. If Ranorex should save that password (because you don’t want to enter it in several places during the test run), it has to be saved somewhere – again in plain text.
And even then, at some point, Ranorex has to decrypt the value, and at this point the plain text value is there in the memory, even it is deleted shortly after. Using debug mode it is still easy to get that value.
All in all: Please never use sensitive data in an automated test. There is no way of protecting this data (no matter what a vendor of a test automation tool tells you) safely. Always use dummy/test data, or use a test system without critical information.
We could implement some way of making it “more secure”, but we have decided against that, as this would just give users the false impression that their data would be completely secure.
There are some other ways making this possible, but all of them either require an Internet connection or immense help from the operating system, both of which we can’t/don’t want to rely on.
The Ranorex Product Management Team
Douglas Vaughan commented
I'm not sure what's meant by "real" encryption&decryption requirements. The issue is that sensitive data is stored as plain text within the test or testing asset like a data source. Data from a data source can be masked in the report which is good, but it is stored as plain text in the data source. Likewise there is no option to mask parameter data from the report which is bad.
I don't have specific encryption requirements such as AES or DES. I can use workarounds such as encrypting the value before execution and decrypting it on the fly, but in general that value won't be masked on the report when it gets set. Furthermore the decryption keys are going to be easily available in the source code.
Ideally Ranorex would create a means for a user to encrypt a value in such a way that the value could be used by anyone executing the script but could not be readable. I wouldn't say it was necessary that the encrypted value be portable (reusable) between solutions, but it should be usable by anyone running that solution.