Agile: doing the wrong thing quickly
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of ITschak Mugzach <imugz...@gmail.com> Sent: Monday, June 3, 2019 2:59 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Just how secure are mainframes? | Trevor Eddolls Have no idea about MultiCS, but can comment on 2 & 3 as I've seen many installations here and in EU. 1. The best way is to check the product after it was installed by the sysprog. I noticed that some of them skip installation steps. When it comes to products that depend on USS, it can be a vendor issue as well. for example, many vendors, including IBM, set wrong UMASK. almost all new products i examined, usually in a pre-prod assessment, depend on USS. 2. many organizations has a single source for distributing software, usually the system's sandbox. that mean, that you must protect the sandbox at last as production clones, because if someone can access your SMP and target libraries, a zero day (not zero, but one you haven't applied fix for yet) can be exploit in production. 3. BTW, I am seeing move to agile development, but usually there is no security expert between the team members. these people are rare... Don't buy anything from me! ITschak On Mon, Jun 3, 2019 at 9:29 PM Clark Morris <cfmt...@uniserve.com> wrote: > [Default] On 3 Jun 2019 09:41:54 -0700, in bit.listserv.ibm-main > sme...@gmu.edu (Seymour J Metz) wrote: > > >This whole thread has consistently confused several very different issues: > > I agree and have questions in each of the areas. > > > > 1. How secure is z/OS itself? > > I recall reading that Multics was more secure than the concurrent MVS > was at the time and wonder if that would have been a better base going > forward. Does the design of z/OS and the tools for implementation > make it more difficult to create and maintain a secure system? How > secure are VM and TPF relative to z/OS? Does anyone have a feel for > how secure and securable the Unisys and any other mainframe operating > systems are relative to z/OS? > > > > 2. How secure is 3rd party software? > > 30 years ago people were complain about some of the holes in CA > software. While much has changed and I assume those holes were > plugged long ago, the question remains as to how we evaluate 3rd party > software that by its nature has to have system hooks and run APF > authorized and / or key zero (system monitors, tape management > systems, etc.)? Could and should changes to z/OS be made that would > allow some of this software run unauthorized and key 8? How much > vulnerability do we introduce by having such things as monitors, > report management systems, etc? How much security and vulnerability > is at the application level where it is the application that has to > determine whether access is authorized (online banking anyone)? > > > > 3. How secure is the typical shop running z/OS? > > Given the need to consider security at not only the operating system > level but also the application level and the number of things that > have to be controlled, I suspect that most organizations are less > secure than they think they are. The problem starts with keeping the > authorities that people have current as they change roles in an > organization and leave that organization. Are the test system as > secure as the production systems? Have all of the people involved > including operators, people doing report distribution, application > developers and maintainers etc. been properly vetted? How do we > monitor to make sure people haveen't been compromised? The list goes > on. > > Clark Morris > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| * ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
