On 8 May 2012 11:06, Pascoe, Raymond M <[email protected]> wrote: > Not sure if this forum is the appropriate place to ask this question, so > please advise.
It's a fine place to ask. > We have been requested by the Centers for Medicare and Medicaid, as a part of > our mainframe compliance program (using NIST and DISA STIGs) , to use the > national vulnerability database http://web.nvd.nist.gov/view/vuln/search to > identify vulnerabilities which affect the zOS operating system running on the > IBM mainframe. > > Is the National Vulnerability Database the right place to look for zOS > vulnerabilities in the first place? I doubt that most of the discovered vulnerabilities get into it, but it doesn't hurt to look there. > We are primarily looking for vulnerabilities for zOS operating system, but > would also be interested in searching for vulnerabilities in third party > software packages from vendors such as CA Technology. > > Any guidance and/or the appropriate keyword search(es) for the NVD which can > be used to meet this objective would be appreciated. IBM publishes a series of documents with titles like "Security Target for IBM z/OS Version 1 Release nn", which I believe are intended for Common Criteria evaluation by various governments. The German Federal Office for Information Security (BSI) publishes what it has evaluated, and there may be others. They are referenced in the _Planning for Multilevel Security and the Common Criteria_ book, and you can also simply plug in release numbers and such and see what your favorite search engine comes up with. (Do watch out for bogus sites that collect anything they think will get them search engine points and/or serve ads to you.) Take note also that there are similar documents for some other IBM operating systems, and for hardware. One can learn quite a bit from these published documents, not least lists of fixes that must be applied in order to pass the claimed security specifications, from which one might reasonably infer that the fixes are for software vulnerabilities. Obviously IBM has much jucier internal versions of these documents. I don't know if there is an official way to get hold of this kind of material, either from IBM or from your national government. In any case, the weaknesses described are almost certainly long since fixed. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
