Hey,
In addition to Radoslaw's response, any reasonable security team will
assist and coordinate investigation and remediation efforts with the
vendor. Exclusion from scope is last resort but totally valid option.
Capture what needs to be captured in your documentation and threat models,
introduce
Passing secret material in the command line for long-running and daemon
processes is never a good idea [;
"The sshpass utility is designed to run SSH using the keyboard-interactive
password authentication mode, but in a non-interactive way." - recommended
approach is to use key authentication inst
Depending on the use case https://www.stunnel.org can also be used exactly
for this purpose.
Cheers,
FP
wt., 9 sty 2024 o 12:01 Andrew Rowley
napisał(a):
> On 9/01/2024 6:26 am, Rick Troth wrote:
> >
> > It's been a minute, but I used SSH to carry PPP traffic back in the day.
> > The client sid
For this type of verification SBOMs seems to be the way moving forward:
https://cyclonedx.org/use-cases/#known-vulnerabilities
Cheers,
FP
W dniu piątek, 5 stycznia 2024 rpinion865 <
042a019916dd-dmarc-requ...@listserv.ua.edu> napisał(a):
> Does anyone know if the z/OS implementation of ssh i
wt., 14 gru 2021 o 15:12 Andrew Rowley
napisał(a):
> On 14/12/2021 12:30 am, Filip Palian wrote:
> > My intention was to share information about the vulnerabilities affecting
> > Java language. (Without performing a proper comparison) I'd prefer not to
> > get into dis
wt., 14 gru 2021 o 16:23 Cheryl Watson napisał(a):
>
> Does IBM have anything to say about this? I assume it's on their security
> portal.
>
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/
Cheers,
s1m0n
-
wt., 14 gru 2021 o 02:23 Seymour J Metz napisał(a):
> The packages in open repositories for languages like Java and Perl have
> many eyes examinging them, even if there are no official bodies certifying
> them.
>
Correct. There's Internet bug bounty, independent enthusiasts, Google
project zero,
wt., 14 gru 2021 o 00:04 John McKown
napisał(a):
> I don't think COBOL is explicitly, or implicitly, more secure than the base
> Java language. The "problem" is not the Java language, but the Internet
> infrastructure built into the Java libraries and "add on" facilities such
> as LOG4J. A COBOL
pon., 13 gru 2021 o 23:14 Andrew Rowley
napisał(a):
> On 13/12/2021 10:52 pm, Filip Palian wrote:
> > @Andrew Rowley, you may want to check this outstanding work from Adam
> > Gowdiak (search for "ibm java" or "oracle java" or simply check it all):
> &
pon., 13 gru 2021 o 22:33 Andrew Rowley
napisał(a):
> On 13/12/2021 9:03 pm, David Crayford wrote:
> >
> > Agreed. Although Java itself does have security vulnerabilities and
> > patches are released frequently. It's critical to stay up to date with
> > service
> > https://www.ibm.com/support/pag
>From the information security perspective there's a well-known
confidentiality, integrity and availability (CIA) triad.
However, the overall security posture of an organisation is dependent on
the following three key areas: people, process, technology (PPT).
Majority of breaches/risks can be prev
Hey,
You can read login credentials from within a script at run time from a
separate file containing password. This file should have an adequate
permissions and ownership set of course.
Alternatively, if you control the target, perhaps you can whitelist your
curl/client.
I hope that helps.
Chee
Hey List,
This can be of interest to some:
-
https://securityintelligence.com/posts/top-five-security-focus-areas-for-mainframes/
- https://www.ibm.com/downloads/cas/A9NKZ8WE
Any thoughts/comments?
Thanks,
Filip
--
For IBM-M
13 matches
Mail list logo
