Re: Code vulnerability
https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis sob., 8 gru 2018 o 09:47 Richard Way napisał(a): > > I currently work for Micro Focus, and we have the "Fortify" product line. I > am NOT in that group, however, and I really don't know if it does what you > are looking for or not - although I know it does have support for scanning > mainframe COBOL for vulnerabilities. I don't know about HLASM. > > Something you may want to explore, if you haven't already investigated it. > > Rich Way > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Steve Smith > Sent: Friday, December 07, 2018 2:14 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Code vulnerability > > Depends on what kind of vulnerability you're looking for. z/OS itself isn't > the only valuable thing you have. > > sas > > On Fri, Dec 7, 2018 at 2:11 PM Charles Mills wrote: > > > Ray Overby at Key Resources, Inc. > > > > Charles > > > > > > -Original Message- > > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > > On Behalf Of scott Ford > > Sent: Friday, December 7, 2018 10:04 AM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Code vulnerability > > > > All, > > > > We write in Enterprise Cobol and HLASM and had a reseller asked us if > > we scanned our Cobol code and HLASM code for vulnerabilities ..Does > > software for this exist ? I know according to one of our people > > Sonarcube can do Cobol scans, but is expensive , like $5. > > > > Has anyone heard on any other software does this function and what > > would they be looking for since we dont use and third party libraries ? > > > > Best Regards, > > > > *IDMWORKS * > > > > Scott Ford > > > > z/OS Dev. > > > > > > > > > > “By elevating a friend or Collegue you elevate yourself, by demeaning > > a friend or collegue you demean yourself” > > > > > > > > www.idmworks.com > > > > scott.f...@idmworks.com > > > > Blog: www.idmworks.com/blog > > > > > > > > > > > > *The information contained in this email message and any attachment > > may be privileged, confidential, proprietary or otherwise protected > > from disclosure. If the reader of this message is not the intended > > recipient, you are hereby notified that any dissemination, > > distribution, copying or use of this message and any attachment is > > strictly prohibited. If you have received this message in error, > > please notify us immediately by replying to the message and > > permanently delete it from your computer and destroy any printout > > thereof.* > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > -- > sas > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send email to > lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Why banks didn’t ‘rip and replace’ their mainframes | Network World
2000... This is what happens today - https://www.itnews.com.au/news/cbas-new-private-cloud-nears-completion-moves-to-infrastructure-as-code-511657 Thanks, Filip Palian W dniu wtorek, 18 września 2018 Mark Regan napisał(a): > https://www.networkworld.com/article/3305745/hardware/why- > banks-didnt-rip-and-replace-their-mainframes.html > -- > > Regards, > > Mark T. Regan > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
CBA's new private cloud nears completion, moves to infrastructure-as-code
Hey list, This might be of interest to some - https://www.itnews.com.au/news/cbas-new-private-cloud-nears-completion-moves-to-infrastructure-as-code-511657 . Cheers, Filip -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Seeking a tool to do a network security scan of z/OS
Hi Lionel, There are free/libre/open-source tools such as Nmap, OpenVAS, Metasploit that you could use for what you intend to do. The interweb is full of documentation, videos and other materials on how to use these tools (also in the context of testing Mainframes). Alternatively, commercial off-the-shelf solutions such as Nessus, Qualys, Nexpose could be used for the same task. As far as I can tell, there are tools developed by IBM, Vanguard, KRI Security and some other vendors but I didn't use them and cannot advise on their effectiveness. Suffice to say, all the tools have their strengths and weaknesses and they will perform only as good as their configuration allows. That's why having a competent operator / tester is crucial. Depending on your requirements and available resources, I would also recommend to complement automatic scans with manual testing. This will allow you to identify security related issues which cannot be find in automated fashion and verify any potential findings / false-positive / false-negatives. The subject of filtering the output, interpreting the results and triaging the findings deserves a thread on its own. I'll be happy to provide more insights in case you have more questions. Kind regards, Filip Palian 2018-07-13 7:16 GMT+10:00 Seymour J Metz : > You're talking about outbound, for which port scanning is not relevant. The > text "One can connect to the > server with HELLO call" also refers to a TCP/IP connection, not to sending a > SPOOL file. > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > > From: IBM Mainframe Discussion List on behalf of > ITschak Mugzach > Sent: Thursday, July 12, 2018 3:06 PM > To: IBM-MAIN@listserv.ua.edu > Subject: Re: Seeking a tool to do a network security scan of z/OS > > Shmuel, > > the SMTP server is mainly spool based. So you can create a text file > (Defined in the RFC you mentioned), write it to the spool in the write and > class used by the server and it will be sent. You can use fake name and > fake domain (The server will state "I don't know you", ut will send the > message. > > SMTP is so easy to penetrate, if you don't have a security exit developed & > installed. I once unloaded the security database of a client and sent part > of it to his GMAIL account. Guess what: Hist exchange configured as a mail > relay as well! Clients do stupid things. I told you, this is how I refill > my ref, This is what we do most of the time in Israel & Europe. > > ITschak > > On Thu, Jul 12, 2018 at 8:14 PM Seymour J Metz wrote: > >> If it works it's because they didn't properly configure the server. Just >> connecting to the server isn't enough to send an e-mail to it. RFC 4954 >> came out in July 2007 and RFC 2554 came out in March 1999. sendmail has >> supported it since 8.10. >> >> >> >> >> -- >> Shmuel (Seymour J.) Metz >> http://mason.gmu.edu/~smetz3 >> >> >> From: IBM Mainframe Discussion List on behalf >> of ITschak Mugzach >> Sent: Thursday, July 12, 2018 1:08 PM >> To: IBM-MAIN@listserv.ua.edu >> Subject: Re: Seeking a tool to do a network security scan of z/OS >> >> Shmuel, >> >> I refill the refrigerator doing pentests. I done this and many other >> attacks on clients mainframes and in 90% of the cases, I am able to send >> emails using the mainframe smtp configured as an MTA. if you look at you >> smtp server log you might see some TCP connections (bingo!) or just users >> who write a different domain name in the from clause. >> >> Trust me, it work. >> >> ITschak >> >> On Thu, Jul 12, 2018 at 6:36 PM Seymour J Metz wrote: >> >> > Does your SMTP server not do authentication? That would certain get the >> > auditors' attention. >> > >> > Do your users respond to phish attempts? Another security problem, and >> one >> > that has nothing to do with the mainframe. >> > >> > I suppose it's to much to expect for users to look at the trace fields to >> > determine the provenances of messages. >> > >> > >> > -- >> > Shmuel (Seymour J.) Metz >> > http://mason.gmu.edu/~smetz3 >> > >> > >> > From: IBM Mainframe Discussion List on behalf >> > of ITschak Mugzach >> > Sent: Wednesday, July 11, 2018 4:35 PM >> > To: IBM-MAIN@listserv.ua.edu >> > Subject: Re: Seeking a tool to do a network security scan of z/OS >> > >> > Do you mean outside of the mainframe? Not as a single package, but NMAP >> > will show you which ports are opened on the mainframe. If your mainframe >> > answers the scan, you already have a problem... Now assume that port 25 >> is >> > open and your mail server is configured an MTA. One can connect to the >> > server with HELLO call and send emails under fake name and domain as spam >> > to collect userids, passwords and other secrets. >> > >> > It's a good idea to have an extra agent to IronSphere to do that -) >> > >> > ITschak >> > >> > On Wed, Jul 11, 2018 at 9:53 PM
CA acquires Veracode.
Any thoughts on the following - https://www.ca.com/us/company/newsroom/press-releases/2017/ca-technologies-to-acquire-veracode-the-leading-saas-based-secure-devops-platform.html ? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Mainframe's security assessments costs
Hey group. I was wondering if some of you could share some information about the costs various companies charged you for performing security assessment of your mainframes? At this point literally any information will be valuable (e.g. hourly rate, particular engagement cost, order of magnitude for this type of engagements etc.). From what I can tell there are companies providing such services but their prices seem to be a one big mystery. Having even a rough estimation would allow to better choose between various providers. Thank you in advance. Kind regards, Filip -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
