Typically it does not come up. However in certain cases when providing technology to sensitive organizations, especially SVC code and APF authorized routines there may be cause to go through the following: 1) security audit of design documents; 2) code inspection, if necessary. Both of these under strict NDA so that nobody is stealing anybody else's secrets.
The follow on issue is then how does the vendor debug a 'dump' when the data contained therein is itself highly sensitive. I've been in situations where only the PSW and registers were made available. So for this to work it requires a trust relationship. ----- Original Message ----- From: "Sam Siegel" <[email protected]> To: [email protected] Sent: Tuesday, June 18, 2013 3:46:10 PM Subject: Re: Auditing vendor source code On Tue, Jun 18, 2013 at 3:41 PM, Ted MacNEIL <[email protected]> wrote: > If that is such an issue, that you really need that level of assurance, > then don't purchase the software. > > I know of no vendor (large or small) that is the business to steal your > secrets. > > Besides, accessing data is not enough. > Without templates, schema, copybooks, etc., are they going to be able to > understand your data? > > It would take the computer programme that ate Manhattan to have enough > code to decode everything. > I think that Charles is asking the opposite question. He works for a vendor and some of their code runs authorized. He is asking what audit requirements customers typically have for authorized code from small vendors. > > Then, there's finding the data. > How does a single vendor know enough to write code to interpret naming > conventions of DataSets, then read and understand the data? > - > Ted MacNEIL > [email protected] > Twitter: @TedMacNEIL > > -----Original Message----- > From: Charles Mills <[email protected]> > Sender: IBM Mainframe Discussion List <[email protected]> > Date: Tue, 18 Jun 2013 14:37:23 > To: <[email protected]> > Reply-To: IBM Mainframe Discussion List <[email protected]> > Subject: Auditing vendor source code > > When you are dealing with vendors of a smaller scale than IBM, BMC or CA, > and you are installing a product that will run APF authorized, how do you > assure yourselves that the product is not stealing your secrets, or > allowing > others to do so (the famous magic SVC)? Do you audit source code? How does > that process work such that it protects the vendor's IP rights while still > satisfying you or your auditors? > > I'm on the vendor side of the equation, but I'm trying to put myself in the > customer's shoes. Replies from either customers or vendors are welcome. > > Thanks, > > Charles > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
