On 27/1/22 4:35 am, Tom Brennan wrote:
Those are things we don't like to talk about :)
Indeed!
And even less talked about: What's to stop a trusted ISV or even IBM
from being hacked or having a rogue employee that does the same?
Absolutely nothing. Any executable code that runs authorized can contain
vulnerabilities. Some of our best guys, distinguished engineers etc run
our Secure Engineer training. We also use IBMs Secure Engineering
scanner which checks
executable code for vulnerabilities. I haven't used it but I attended a
training session and it can detect all sorts of nasties. You can see any
example of a z/OS security vulnerability it detected here
https://www.ibm.com/support/pages/apar/OA38586.
I haven't checked lately but how many packages are there on the CBTtape
the switch to supervisor state key0 when they don't require key0?
Unfortunately, that was and still is quite a common practice.
On 1/26/2022 11:41 AM, Gibney, Dave wrote:
If I was a long term bad actor, or perhaps a nation/state, I might
consider evaluating open source for useful/popular components. Then,
contribute to their development, spread, and usefulness, while
inserting subtle exploitable defects.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
