> A single TRAP DOOR code vulnerability pierces the veil of integrity and can > be used > to compromise the mainframe. Is this a platform weakness?
An application with a trap door is an application vulnerability. If there is a trap door in z/OS itself then that's a platform vulnerability. I'd be willing to bet a substantial amount that the majority of penetrations in z/OS are application, configuration, personnel and process vulnerabilities rather than z/OS vulnerabilities. > Would you say that the elimination of User Key Common storage is an > example of a z/OS change to address a mainframe platform weakness Partially. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Ray Overby <[email protected]> Sent: Wednesday, May 29, 2019 11:11 AM To: [email protected] Subject: Re: Fwd: Just how secure are mainframes? | Trevor Eddolls In response to "Mistakes, lack of time, lack of control, lack of skills. Not a platform weakness." comment: The mainframe platform, z/OS, and ESM's all rely on integrity to function. A single TRAP DOOR code vulnerability pierces the veil of integrity and can be used to compromise the mainframe. Is this a platform weakness? I think so. The platform relies on all code it runs adhering to certain rules. z/OS could be changed to better check and enforce those rules. Would you say that the elimination of User Key Common storage is an example of a z/OS change to address a mainframe platform weakness? I think so. An interesting observation. Thanks. On 5/29/2019 5:25 AM, R.S. wrote: > That's classical FUD. > Frightening people. > "if an exploit", "if job reads you RACF db", "unintended consequences". > What exactly hacking scenario can provide RACF db to the hacker? > Yes, I saw APF libraries with UACC(ALTER), UID(0) as standard TSO user > attribute, even UPDATE to RACF db. But it's problem of people. > Mistakes, lack of time, lack of control, lack of skills. Not a > platform weakness. > > It's typical that assurance/lock/gun salesmen tend to talk about > risks, threats and dangers. They create a vision. > My English is poor, but I can observe it for two of debaters here. > It's visible. I don't like social engineering. > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
