charl...@mcn.org (Charles Mills) writes: > I am not certain that "MVS exposures" versus "lax security" is a black and > white dichotomy. It's easy to look after the fact at any breach and say > "aha! You should not have done X." I don't think the role of we security > practitioners is solely pointing out "exposures" in MVS to IBM. I think > helping customers with common less-than-ideal practices is more important. > > Logica was a professional service bureau with a professionally-maintained > z/OS. They got breached. One might infer that other MVS sites, and not just > those with "lax" (however defined) security practices, might also be > vulnerable.
long ago and far away we were brought in as consultants to small client/server startup that wanted to do payment transactions on their server; they had also invented this technology they called SSL that they wanted to use, the result is now frequently called e-commerce. early experience found that RDBMS-based ecommerce servers had more frequent exploits than flat-file based ecommerce servers ... these weren't intrinsic to the environment ... it was that RDBMS-based ecommerce servers were a lot more complicated ... and as a result people were more prone to making mistakes resulting in exploits (there is some amount of security literature about "exploits proportional to complexity", which is a counter to the periodic meme of "security through obscurity"). much more recently there have been some SQL-specific attacks http://en.wikipedia.org/wiki/SQL_injection which claims that they can attack any type of SQL database (although a case might be made that SQL-injection is another characteristic of RDBMS/SQL being more complex). disclaimer: I periodically have stressed KISS as a major security theme. -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
