R.S. wrote:
Rick Fochtman wrote:
-----------------------<snip>-----------------
From time to time I read on the list about companies which demand
ISVs to provide source code for SVC routines to analyze it from
security point of view.
While I don't know to much about z/OS 'guts', I'm wondering what is
the reason for that? Or rather, why the SVC code is so important,
while APF-authorized libraries are not subject to analyze. The same
apply to propgrams in SCHEDxx members.
AFAIK (I could be wrong) APF-authorized program can bypass security
rules, so it can be dangeours. Is SVC more dangerous ?
Last, but not least - neither SVC, nor 'regular' APF-authorized
program can do anything illegal when not instructed, so unless ISV
folks unlimited access to prod system it is like dangerous knife in
my safe.
Other possibility is that "backdoor" entry is disclosed by ISV to
our sysprogs. In fact it owuld be a confession to security hole.
---------------------<unsnip>----------------------
My last shop processed enough money in a week to pay the U. S.
National Debt, and NONE of that money was ours. We had to be like
Caesar's wife, Calpurnia. That is, not only be pure, but perceived to
be pure by all who beheld us. Security was held to be far more
important than performance by "The Powers That Be".
IMHO it is completely irrelevant. Almost every z/OS installation
process 'non-ours' money, usually much more than sysprog's salary.
<what a pity!> So, all shops care about security, more or less.
Caution: I don't criticise SVC examination itself. I don't want to say
it os good or it is bad. I just want to learn. My doubt is why SVC are
so suspected while APF-authorized programs are not. It's common
knowledge that sysprog+APF means bypass all security rules - isn't it ?
---------------------<unsnip>-----------------------
Roland, you're quite correct in one respect; APF pgms and SVC's can ALL
be very dangerous. But most shops aren't quite as "intimately" involved
in the banking industry and are thus not subject to quite the same
levels of Federal oversite. Automated links to the Federal banking
system are scrutinized to a degree that some folks would find
incredible, and surprise audits by Federal agencies are an unfortunate
fact of life. I was even subject to personal audits, just because of the
nature of my position as a "highly trusted" employee. And personal
bonding isn't just optional; it's REQUIRED; hence the comment about
Caesar's wife. How many manufacturing organizations have the same levels
of scrutiny? General Motors doesn't.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
