There is a software product called z/Assure Vulnerability Analysis
Product that will allow a z/OS installation to identify
exposures/vulnerabilities in IBM, ISV, and installation written code.
With this software product you can systematically check to see if an
exposure has been introduced with maintenance or a new release.
Ray Overby
Key Resources, Inc
Ensuring System Integrity for z/Series
(312) 574-0007
On 9/8/2013 10:37 PM, Jon Perryman wrote:
No matter how much knowledge and money you have available, you can't be 100%
secure (we still have APF). You can only secure known exposures as well as the
technologie permits and reduce area's of risk. While z/OS can be extremely
secure, you don't review IBM's code for exposures. How about vendor code? Do
you upgrade products and know they did not introduce an exposure. Are the
employee's 100% infallible and trustworthy.
Security is by nature obscurity. There is a saying that the solution to the
problem only changes the problem. As others have said, this is a question about
money, willingness and perseverance to find a hole. Userid's, passwords and
securid are obscure (unlikely but possible to guess). Encryption is unlikely
but possible to break given time and willpower (they say CIA can crack 256 byte
keys). RACF protects datasets from some users but not others. APF libraries are
limited and access restricted but some users must have access. Sysprogs get
more access to system datasets when installing new releases and updates. We
consider these to be secure but there are ways you can get at them with luck,
persistence and willpower.
Jon Perryman.
________________________________
From: Scott Ford <scott_j_f...@yahoo.com>
You can secure the environment one is responsible for with correct knowledge
and funding
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
