A week ago I completed a COBOL security Code Review for a client in Europe. I was asked to review security risks in about 3,000 COBOL programs in an finance application.
On the starting line stood a well-known scanner and I. It took me two days to get the first 20 high-level findings and about ten days to find the rest. The scanner did it much quicker, but he found only one finding... The problem with scanners is the inability to get the context of the finding and they create a lot of false findings. As always, I returned to program the techniques I used to identify the risks in the COBOL programs. The program is developed in Rexx (TSO, compiled, and CPU serial limited), but can be ported easily to any COBOL enabled platform. Currently is runs as a per program Automated Code Reviewer, but soon it will scan an entire library. so in the near future it will support both a standalone module to incorporate into a change management product and a tool you can run periodically. This COBOL Code Reviewer module will be part of our IronSphere ISCM (Information Security Contiguous Monitoring) platform for legacy that monitors security status based on DoD STIGs (Details at http://www.securiteam.co.il) and the finding will be reported to the IronSphere Server. Now, the reason I am writing here is not to publish IronSphere, but to look for a Beta tester. The best Beta site will run COBOL, CICS, DB2 and uses technologies like JSON, XML (Better reading than writing), WEB Services and may be IMS. There is no need to install the IronSphere Server at this stage. The tool is yet limited, but already has the infrastructure (resolving COPYBOOKS and tracing variables) and some checks. A by-product of this scan is a cross-reference of Copybooks and programs (Static & dynamic calls) found in the program. Some examples of findings are: - Subroutines that are called statically & Dynamically in same program (so it might be different versions of same program, giving different results). - Main COBOL CICS program (Transaction) that calls SP related services (End user can access CICS resources). - Data tables in DATA DIVISION (no separation duties). The results are printed in IronSphere finding table format (STIG) showing the program name, line number, Statement, finding (what is wrong)and explanation. Ideas and COBOL security issues are welcome. If you are interested in testing the product please contact my SecuriTeam email address: [email protected]. You'll get a short installation manual, the IronSphere Stand-alone Cobol Code Reviewer (IronSphere CCR) and a key for you CPU, both as load modules in xmt format. ITschak -- ITschak Mugzach *|** IronSphere Platform* *|** Automatic ISCM** (Information Security Contiguous Monitoring) **| * ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
