--------------------------------<snip>--------------------------------------
The presumption seems to be that no "outsider" would have the ability to
put a program into APF authorized libraries. Well, what about 3rd party
vendors? We certainly provide the motivation to induce "insiders" to
place our programs into authorized libraries. But what are we?
"Insiders"? "Outsiders"?
(As mentioned in my prior post, one technical way to partially address
this exposure would be for IBM to reduce the number of reasons requiring
a program to run authorized.)
--------------------------------<unsnip>------------------------------------
I've always required that 3rd party vendors include penalty clauses in
their contracts, such that it their software contributes to a security
breach, then they pay penalties that are downright Draconian. Failing
that, I want to review all authorized source code, as well as any
mechanisms that communitcate to unauthorized code. I would be happy to
execute, and abide by, a non-disclosure agreement if that was required.
If the vendor won't agree to one or the other of those terms, we looked
somewhere else. I only had one vendor refuse and they blew a $200,000
deal just that quickly.
(I even got a look at some serious IBM code, but as far as I know, the
NDA is still in effect so I can't go into details.)
"You want to play in my yard, you play by my rules. Period."
Rick
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
