Tony Harminc has made explicit a point that I made much too obliquely. The chief uses of the NVD and that ilk is to ensure that the operational software one has in current use includes fixes for the vulnerabilities listed.
Note also that for the search argument 'z/OS' NVD output does include at least one vulnerability of a CA product used under z/OS. It is certain that other entities---government agencies, auditors, and the like---will also require reassurance about these NIST vulnerabilities and the state of a shop's operational software; and for this reason I have recommended to clients that they prepare and update weekly a standard report that provides this information. This process can be automated in significant part, at least for software that is maintained using SMP/E; and having such a report and the machinery for generating it in hand will save much time in the future. (It will also make sysprogs who anticipate this requirement look.) John Gilmore, Ashland, MA 01721 - USA ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
