On Nov 2, 2007, at 12:13 AM, Mark Rockman wrote:
I'm sure you can write COBOL programs that crash, but it must be hard to make them take control of the operating system.
If software exploits were "only" isolated to OS compromise, that'd be just fine. But let's not forget that an application can be thoroughly compromised by an attacker who never leaves the realm of the application -- e.g., providing spoofed credentials to read another user's customer data in a database app. The business logic data access control (authorization) is just one area of an app that transcends implementation language. A poorly design authorization model can be implemented in pretty much anything, I believe.
Let's get past the simple buffer overflow exploit to get OS access. IMHO, it's right to consider mainframe/COBOL apps carefully. Although we likely won't find a buffer overflow "smoking gun", I'll bet we are likely to find examples of bad security logic that can lead to app compromise. Plus, let's face it, modern attacks are moving more and more towards the pure application layer (think XSS, SQL/XML injection, cross-site request forgery, etc.), AND they're increasingly financially motivated.
Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com
Description: S/MIME cryptographic signature
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________