Re: Program FLIH

Mon, 27 Feb 2012 06:26:18 -0800 

Performing penetration testing on your z/OS system is an option. There
is a product called z/Assure which will identify z/OS integrity based
vulnerabilities that reside on your system. At at high level you would:

-    Run z/Assure
-    Review the output
-    For each identified vulnerability:
        -    Identify the code owner (a vendor or installation written
program)
        -    Send Vulnerability information report to code owner
        -    Code owner reviews vulnerability information, understands
the problem, and then creates remediation for the problem.
        -    Code owner sends you the remediation
        -    You apply remediation to your system
-    Re-run z/Assure to ensure remediation:
        -    Actually fixed the original vulnerability
        -    Did not introduce additional vulnerabilities

You should note:

-    No source code is required for this process.
-    Exploits need not be created (unless code owner won't work on the
problem without one)
-    The person running z/Assure does not have to be a z/OS internals
expert.







Ray Overby
Key Resources, Inc.
Ensuring System Integrity for z/Series^(TM)
www.zassure.com
(312)574-0007


On 2/25/2012 03:35 AM, Gibney, Dave wrote:

  I wouldn't say no qualms at all :) Products from the unnamed ISV have been 
here since before I started. As has the authorized link list.
For better or worse, I am stuck with trusting the vendors to not leave gapping 
backdoors.

   And, I did ask, without success for far, over on RACF-L what is advised to 
lock the gates better. If you can't get your own code running on my system, can 
you use this hole?


-----Original Message-----
From: IBM Mainframe Assembler List [mailto:ASSEMBLER-
[email protected]] On Behalf Of Shane G
Sent: Friday, February 24, 2012 7:41 PM
To: [email protected]
Subject: Re: Program FLIH

And (given the discussion so far) you feel no qualms about handing the keys
of the realm to any and all persons of unknown (programming)
quality/probity ?.

I have harped on about this for years elsewhere, and keep getting beaten
down as "unjustified" (that was the politest synonym I could come up with).

Shane ...

On Sat, Feb 25th, 2012 at 4:54 AM, "Gibney, Dave" wrote:


...
When any of the vendors I named instruct me so, I dutifully APF their
libraries and they often reside in the linklist which we at least do
set AFP via IEASYSxx.

Reply via email to