- From an installations point of view all code that runs in system
key (0-7), supervisor state, or has the ability to do so:
- Should be considered part of the operating system (system
extensions if you like).
- Has the ability to circumvent the installation implemented
security (independent of the ESM).
- Should be corrected if an integrity exposure exists in the code.
The Vendor does not matter. A single integrity exposure from a single
vendor compromises your entire z/OS system regardless of whether you
think z/OS is secure or not. It also does not matter if you think the
ISV authorized code is part of z/OS or not. The reality is authorized
ISV code has the ability to modify the environment just like "real"
authorized z/OS code from IBM.
As it turns out z/OS does have integrity exposures. Given that IBM is
the largest producers of authorized code for z/OS this should not be a
surprise. IBM has a statement of integrity. This is the basis for z/OS
to be a secure operating system. Any code you install on top of z/OS
should also have an integrity statement. However, the IBM statement of
integrity does not say that z/OS does not have any integrity exposures,
just that IBM will fix them when found. There are examples of integrity
exposures in IBM z/OS (the SMPE one for instance). It is also true that
ISV's also have integrity exposures. Probably in a larger proportion
than IBM does if you look at it statistically (number of modules to
number of integrity exposures). The bottom line is all integrity
exposures regardless of source (vendor) need to be fixed if you are to
have a secure z/OS.
On 6/8/2010 15:44 PM, Howard Brazee wrote:
On Tue, 8 Jun 2010 22:12:29 +0200 (CEST), starwars
<[email protected]> wrote:
Holes in 3rd party products do not equal holes in z/OS. Get the vendor to
fix his mess.
I don't know if this is necessarily true.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
