At 9:16 PM +0100 11/1/07, Johan Peeters wrote:
> I think this could do a great service to the community.
> Recently I was hired by a major financial institution as a lead
> developer. They said they needed me for some Java applications, but it
> turns out that the majority of code is in COBOL. As I have never
> before been anywhere near COBOL, this comes as a culture shock. I was
> surprised at the paucity of readily available information on COBOL
> vulnerabilities, yet my gut feeling is that there are plenty of
> security problems lurking there. Since so much of the financial
> services industry is powered by COBOL, I would have thought that
> someone would have done a thorough study of COBOL's security posture.
> I certainly have not found one. Anyone else?

Can anyone point to stories about Cobol exploits ?

I mean exploits that have to do with the nature of the language, not
social engineering attacks that happened to take place against a Cobol

My limited exposure to Cobol makes me think it is as unlikely to have
a buffer overflow as PL/I or Ada.
Larry Kilgallen
Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Reply via email to