---------------------------------<snip>-----------------------------
This is the bit I have trouble with.
Just about every product demands an auth'd library for install. Given
that the product has been purchased and is presumably required, how's
that "under the installation's control" ?.
As Dave says, this blows the whole idea of security to hell (sorry Dave,
my emphasis ... ;-)
---------------------------------<unsnip>-------------------------------
Shane, you're at a point where you must depend on the vendor's
integrity. See my previous post in this thread.
Of course, you ALWAYS have recourse to litigation for damages, if you
can show how the vendor should be held liable, either for malice or
negligence.
We had a security audit, years ago, that showed us a hole in IDMS that
could be used to bypass security. When we brought it to the attention of
the vendor, we had a fix, in source form, in 3 days flat. Unfortunately,
that was all before I started reviewing vendor code, and before my
management realised the value of penalty clauses in contracts. :-)
Rick
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
