In response to "Ideed, IF you know such trap door, you know z/OS
vulnerability, which proves the platform is not immune. Is it as
vulnerable as Windows? No, because it's still not binary, some systems
are still more secure than others."
In my opinion (I am biased) z/OS is the most secure-able platform that I
know of. Secure-able (is that a word?) does not mean that the platform
does not have vulnerabilities (configuration and code based). There are
many people that think just like Bill Johnson. Most of them that I have
met and talked with when presented with forensic evidence that shows
their systems have trap doors they have accepted it (They had to report
the problem to vendor and then apply fix - Trust but verify ;-)). Due to
the way this industry treats integrity problems that cannot currently be
done publicly.
In response to "Last, but not least: assuming you know such trap door.
Or even several trap doors. What next?"
a) I don't submit any trap doors vulnerabilities to any vendors due to
the contractual nature around how and when these vulnerabilities are
found. I am restricted to what I can disclose to whom. The companies
that license the software report the issue.
b) Vendors provide a fix for trap doors in their products. I do not fix
the Vendors code. I have not been asked to fix any installation written
code for vulnerabilities but would if asked to.
c) If Vendor does not fix the trap door then company can now make an
informed decision about whether to a) assume the risk and keep the
product or b) remove the product from the system. Having the
vulnerability classification and knowing the capability of a trap door
should allow the company to have meaningful internal discussions about
the issue and decide what is best for the company. These internal
discussion can now include management, Security, Risk, Pen testers and C
level people all because of the vulnerability classification (TRAP DOOR)
will allow more people to understand the issue. I would argue that
allowing a company to understand the vulnerability risk and make an
informed decision in the company's best interest would be very valuable
to any company in that situation.
On 5/30/2019 6:01 AM, R.S. wrote:
As Shmuel said an application with a trap door is an application
vulnerability.
Ideed, IF you know such trap door, you know z/OS vulnerability, which
proves the platform is not immune. Is it as vulnerable as Windows? No,
because it's still not binary, some systems are still more secure than
others.
Last, but not least: assuming you know such trap door. Or even
several trap doors. What next?
a) you submitted it to IBM and they are trying to fix it.
b) despite of a) you know how to fix it by homegrown
code/configuration/procedure and you offer it as a service.
c) the trap door cannot be fixed and then your services are disputable
- you cannot help.
Of course the above *regards only the trap doors you know*, not your
services portfolio.
Besides that you can provide many valuable services regarding
security, but not platform issues, rather people mistakes,
misconfigurations, erroneous procedures, etc.
It is worth to emphasize: while z/OS is quite secure, it may be quite
complex to configure it properly. And here there is a field for Ray,
ITschak, RSM Partners, me, etc.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
