Well, the vendor could submit z/OS with their software installed for a security certification, but as I understand it that's very expensive and time consuming.
As for an ESM, there are a lot of facilities that won't work at all without one. BTW, just because an application isn't APF authorized and therefore doesn't have an integrity vulnerability doesn't mean that it doesn't have a security vulnerability. If it has multiple users and allows one user unauthorized access to the data of another, ... -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Clark Morris <cfmt...@uniserve.com> Sent: Tuesday, June 4, 2019 12:52 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Just how secure are mainframes? | Trevor Eddolls [Default] On 4 Jun 2019 08:56:03 -0700, in bit.listserv.ibm-main 00000047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote: >From the you can’t make this up department. Mr. Marchant agrees with me. > >https://secure-web.cisco.com/1-whmwv7ULNYR1Hukwy-H5Q9Q_4xxNp8kYaDWfQ_GoMFseGBxwIbMwKs0Rrl3jVK6OBpw-WYyZ1DTl6RV2xyK9yJCovsG-dNbqIg9MfqXdV2KiPKR3uYau79LHXCF-Nlgif0qWny0y-5PPH78itFajSf0D4z9XPR_j98gYPV7f54LfqOplIiFdoIWHcjisX6FjYJwbr5vx-cQqOuqZ2mLaAMEvPvINJsmmpb8y3aO-5oTSLdgkJ1FTPeky66f4xtwpBr_sAsFYPYJWf-zdA0rKGzFmfub4Uk8u2tQ5hCnKwcwe-nd4194giBemlc5fxp9ZhDMwUeUYBPRVnYX-wEFF2aQ-FiHbP_uDuQbwAs-3kOE1PadBdfq_GC3vPqUVOhSzB4jLwb7bkAAdmDVs7hRAqJYH6HZqI5F1zVEdsss6CNcwwI1PYaI3qkTyxmEqOXjNU6W9fckIIXxrEHy2expkw/https%3A%2F%2Fwww.compuware.com%2Fproving-z13-modern%2F > Considering that he is writing for a mainframe systems software vendor that provides APF authorized code, he has some interest in perpetuating the mainframe. Also RACF is a separately priced add-on item> Does IBM require that you license RACF or approved third party equivalent as a condition of running z/OS? Is there a mechanism for third party vendors that provide software that runs APF authorized to be somehow included in the statement of integrity or have recognized equivalents? I suspect that the data that was involved in the famous Target retailer breach was residing on a mainframe and was gotten by using credentials that were stolen from a supplier that had valid access to the data. I think the initial breach was at the supplier that was probably not running a mainframe system. Clark Morris > >Talk of “modernization” of mainframe systems is often code for redesigning >mainframe-based applications and implementing them to run on Windows, or less >frequently, on Unix or Linux. None of these systems can match the security >capabilities of modern mainframe operating systems. > > >Sent from Yahoo Mail for iPhone > > >On Tuesday, June 4, 2019, 10:45 AM, Tom Marchant ><0000000a2a8c2020-dmarc-requ...@listserv.ua.edu> wrote: > >On Tue, 4 Jun 2019 00:01:01 +0000, Bill Johnson wrote: > >>noise and plenty of it. > >PKB. > >You have posted more to this thread than anyone else. > >You have claimed that security is the main reason people stay on the >mainframe, and posted a few articles that do not say what you claimed >they say. > >You have insisted several times that your MVS systems have never been >hacked without providing any evidence or serious reasoning as to how >you could know that. "40 years of experience" is not evidence. It's called >appeal to authority, and it is a logical fallacy. > >When your assertions are questioned, your response is to attack those >who question you rather than provide evidence. Another logical fallacy. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN