On 21 Jul 2009 15:31:59 -0700, in bit.listserv.ibm-main
(Message-ID:<[email protected]>) [email protected]
(Rick Fochtman) wrote:
Shane, you're at a point where you must depend on the
vendor's integrity. See my previous post in this thread.
We had a security audit, years ago, that showed us a hole
in IDMS that could be used to bypass security. When we
brought it to the attention of the vendor, we had a fix,
in source form, in 3 days flat.
When we found a *major* security hole in another product
(it was leaking our passwords to outside organizations),
their team fought us with obtuseness and then delay. I left
my company less than a year after the vendor said they
might, eventually, fix it, so I don't know if it has yet
been fixed.
CERT and well-respected security experts tell us that many
vendors (not necessarily for mainframe) will *not* fix a
hole until someone at least threatens to go public with it.
My company would not allow me to do that.
I'm heartened to see that not all 3rd-party vendors are so
clueless.
--
I cannot receive mail at the address this was sent from.
To reply directly, send to ar23hur "at" intergate "dot" com
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
