Secure Coding mailing list archives

Mainframe Security

From: yo at secappdev.org (Johan Peeters)
Date: Thu, 1 Nov 2007 21:16:50 +0100

I think this could do a great service to the community.

Recently I was hired by a major financial institution as a lead
developer. They said they needed me for some Java applications, but it
turns out that the majority of code is in COBOL. As I have never
before been anywhere near COBOL, this comes as a culture shock. I was
surprised at the paucity of readily available information on COBOL
vulnerabilities, yet my gut feeling is that there are plenty of
security problems lurking there. Since so much of the financial
services industry is powered by COBOL, I would have thought that
someone would have done a thorough study of COBOL's security posture.
I certainly have not found one. Anyone else?

kr,

Yo

On 11/1/07, McGovern, James F (HTSC, IT) <James.McGovern at thehartford.com> wrote:

 I was thinking that there is an opportunity for us otherwise lazy
enterprisey types to do our part in order to promote secure coding in an
open source way. Small vendors tend to be filled with lots of folks that
know C, Java and .NET but may not have anyone who knows COBOL.
Minimally, they probably won't have access to a mainframe or a large
code base.

Being an individual who is savage about being open and participating in
a community, I would like to figure out why my particular call to action
is. What questions should I be asking myself regarding our mainframe,
how to exploit, etc so that I can make this type of knowledge open
source such that all the static analysis tools can start to incorporate?


*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************


_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________



-- 
Johan Peeters
http://johanpeeters.com

Current thread:

Microsoft Pushes Secure, Quality Code Kenneth Van Wyk (Oct 06)
- Microsoft Pushes Secure, Quality Code Steven M. Christey (Oct 08)
  - Microsoft Pushes Secure, Quality Code Gary McGraw (Oct 08)
    - Microsoft Pushes Secure, Quality Code Steven M. Christey (Oct 08)
  - Microsoft Pushes Secure, Quality Code J.M. Seitz (Oct 08)
  - Microsoft Pushes Secure, Quality Code Romain Gaucher (Oct 09)
    - Mainframe Security McGovern, James F (HTSC, IT) (Nov 01)
    - Mainframe Security Johan Peeters (Nov 01)
    - Mainframe Security Kenneth Van Wyk (Nov 01)
    - Mainframe Security ljknews (Nov 01)
    - Mainframe Security Paul Powenski (Nov 01)
    - Mainframe Security Johan Peeters (Nov 02)
    - Mainframe Security ljknews (Nov 02)
    - Message not available
    - Message not available
    - Mainframe Security ljknews (Nov 02)
    - Mainframe Security Glenn and Mary Everhart (Nov 02)
    - Mainframe Security Gergely Buday (Nov 02)
    - Mainframe Security Florian Weimer (Nov 02)
    - Mainframe Security ljknews (Nov 02)

(Thread continues...)