> -------------------------------<snip>------------------------- > > >But for authorized programming, the security is about as robust as > >moldy >cheese. (And I know I'm right about this!) > > > >Dave - I would argue that there is no implied security for authorized > >code. > > I would agree. And so would IBM, which is why a security breach by an > authorized program would not be APARable. But that sentence (<--) > right there suggests why there needs to be. > > Authorized programs can breach security. > There are too many reasons why authorized programs have to be written. > There are too many people who write authorized programs. > There are too many people (both inside a Corp. and outside[!]) who > have the right to install authorized programs into authorized libraries. > > If I were responsible for security, I would be concerned.
----------------------------<unsnip>--------------------------------- At my last position, we had a policy of requiring a statement of security from outside vendors. They had to certify that their authorized software was not going to look in places other than defined by the software's purpose AND would not cause any system outages, directly or indirectly, AND would not create a situation such that security might be breached. And we were VERY TOUCHY about it. And the only persons allowed to update authorized libraries were a select few of the Systems Programming staff. Private SVC's had to be supplied to us in SOURCE form so we could check for "back doors", etc. These policies were derived by a team of management, legal and Systems Programming staff members. And NO VENDOR was allowed to install ANYTHING on our systems; they could oversee while our staff did the work, so we were constantly "in the loop" and knew what libraries were created and/or modified. We found that serious vendors were more than cooperative, even (ugh) CA. Some did require confidentiality agreements, but our legal department found them acceptable. Good tight security DEMANDS both technical and managerial participation. Period. Rick --- [This E-mail has been scanned for viruses by the YourNet Connection Virus system] [For more information, please go to http://www.ync.net/YourMAIL] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
