Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

COBOL Exploits

From: ken at krvw.com (Kenneth Van Wyk)
Date: Fri, 2 Nov 2007 10:41:48 -0400
On Nov 2, 2007, at 12:13 AM, Mark Rockman wrote:

I'm sure you can write COBOL programs that crash, but it must be  
hard to make them take control of the operating system.


If software exploits were "only" isolated to OS compromise, that'd be  
just fine.  But let's not forget that an application can be thoroughly  
compromised by an attacker who never leaves the realm of the  
application -- e.g., providing spoofed credentials to read another  
user's customer data in a database app.  The business logic data  
access control (authorization) is just one area of an app that  
transcends implementation language.  A poorly design authorization  
model can be implemented in pretty much anything, I believe.

Let's get past the simple buffer overflow exploit to get OS access.   
IMHO, it's right to consider mainframe/COBOL apps carefully.  Although  
we likely won't find a buffer overflow "smoking gun", I'll bet we are  
likely to find examples of bad security logic that can lead to app  
compromise.  Plus, let's face it, modern attacks are moving more and  
more towards the pure application layer (think XSS, SQL/XML injection,  
cross-site request forgery, etc.), AND they're increasingly  
financially motivated.

Cheers,

Ken

-----
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2500 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20071102/4a075e29/attachment-0001.bin
Previous By Date Next
Previous By Thread Next

Current thread: