The only "advantage" (note the quotes!) of a roll your own solution is security by obscurity. There are also many evil eyes looking for vulnerabilities in the open source packages. Your own COBOL solution? Maybe no evil eyes (maybe a few?).
Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Seymour J Metz Sent: Monday, December 13, 2021 7:24 AM To: [email protected] Subject: Re: New Java vulnerability The packages in open repositories for languages like Java and Perl have many eyes examinging them, even if there are no official bodies certifying them. How does that make any of those packages less secure than a roll-your=own package in COBOL? In fact, how is it not the other way around? Why isn't it more likely that a vulnerability in an open source package will be caught than an RYI? -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List [[email protected]] on behalf of John McKown [[email protected]] Sent: Monday, December 13, 2021 8:04 AM To: [email protected] Subject: Re: New Java vulnerability On Mon, Dec 13, 2021 at 6:14 AM Andrew Rowley <[email protected]> wrote: > On 13/12/2021 10:52 pm, Filip Palian wrote: > > @Andrew Rowley, you may want to check this outstanding work from Adam > > Gowdiak (search for "ibm java" or "oracle java" or simply check it all): > > https://secure-web.cisco.com/1h_NLRTubSIGCX-uZ_j59bYsjZCIADZQzzFU_e_Z8tcAuZ4 e-x0OqwslFpk7Tbu1rr51bvA3IfLy4EPKgfk_takOX9fCKqYBpXma1zH_HeMiZFFP6oO4su-LhB8 tAV_vBw-gZYu8Qq2s_ZCorZ4_93XDEonvqi1ikoD_pt6fHJrwo-C6cfJiIC_C7hVQ1HEbSPkzjJd XIqyly5RENIy32PA4n-m4P4Sx76om0dUuiOD9jSzx_tWJr73a20BhNFd7OpwtUGLdrArufk_avdS cJxVfhCrXDfkH0vssynmoQZ6SBTxLqqW3SMisHstvwcKkLmFNdXii9-OrLTk3oXmTtwuBx4Ec3nj SD_dB_jRng9GWpVkiqRBUpbnQzNX-mndmzbbL4OOL6NjG4B6ga460mr18GW_dGyiz_zT2VKsy5FC N_Zj756vmRQ1xcVElXnQbj/https%3A%2F%2Fpacketstormsecurity.com%2Ffiles%2Fautho r%2F3682%2F > You might have to spell it out for me because I can't figure it out. > Again these look to me like various forms of sandbox escape. > > Which of these makes Java less secure than the same program written in > e.g. COBOL? > I don't think COBOL is explicitly, or implicitly, more secure than the base Java language. The "problem" is not the Java language, but the Internet infrastructure built into the Java libraries and "add on" facilities such as LOG4J. A COBOL programmer would most likely write their own logging facility whereas a Java programmer would have a much larger selection of "prebuilt" libraries to use & would so likely use them. These facilities might or might not have any vulnerabilities in them. But I doubt that anyone is really validating them. The same with C/C++. Or any other "popular" languages. The PERL and R languages have CPAN and CRAN web sites full of user supplied programs. COBOL does not have that sort of thing. IBM, in the supplied COBOL libraries, tries to validate that they do not compromise system reliability and availability. Routines from the Internet are NOT validated by an outside source. In that way, COBOL is "more secure", in a certain sense. It's also why not many mainframe web applications are built using COBOL. JAVA is easier to use because it has so much "free stuff" which is already developed for Web type things. > > Andrew Rowley > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
