Secure Coding mailing list archives
Mainframe Security
From: ken at krvw.com (Kenneth Van Wyk)
Date: Thu, 1 Nov 2007 21:32:56 -0400
On Nov 1, 2007, at 4:16 PM, Johan Peeters wrote:
sSince so much of the financial services industry is powered by COBOL, I would have thought that someone would have done a thorough study of COBOL's security posture. I certainly have not found one. Anyone else?
Just a couple random(ish) observations here... 1) I believe that COBOL is still behind the *vast* majority of financial transactions today. I don't know the %, but I'd bet it to be close to 100%. 2) It's been my experience that COBOL folks (read: "mainframe programmers") tend to frown on the Internet, the web, and such. However, in talking with them, it's often useful to say that they're likely to have to interface with "internet folks" via SOA and other mechanisms, so it's worth their while to understand the security problems that "those guys" face, such as XSS and SQL/XML injection (a handy tip I picked up from Andrew van der Stock -- thanks Andrew!). So what's my point? It's this: I've often found the "mainframe crowd" to be reluctant to even talk about software security because there seems to be a pervasive attitude that it's not their problem. After all, the mainframe architectures they're familiar with have had secure, trustworthy networks and such for decades, right? Well, easing them into a discussion by simply pointing out that they should be aware of the issues that the "internet folks" have to deal with because they *need* to interface with them can help things along. Lastly, I noticed that at least one static code analysis tool (Fortify) now supports COBOL. I'm not yet sure what things they scan for, and I'm *far* from COBOL literate myself, but I figure it's got to be good news re James's point. Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2500 bytes Desc: not available Url : http://krvw.com/pipermail/sc-l/attachments/20071101/5a146712/attachment.bin
Current thread:
- Microsoft Pushes Secure, Quality Code Kenneth Van Wyk (Oct 06)
- Microsoft Pushes Secure, Quality Code Steven M. Christey (Oct 08)
- Microsoft Pushes Secure, Quality Code Gary McGraw (Oct 08)
- Microsoft Pushes Secure, Quality Code Steven M. Christey (Oct 08)
- Microsoft Pushes Secure, Quality Code J.M. Seitz (Oct 08)
- Microsoft Pushes Secure, Quality Code Romain Gaucher (Oct 09)
- Mainframe Security McGovern, James F (HTSC, IT) (Nov 01)
- Mainframe Security Johan Peeters (Nov 01)
- Mainframe Security Kenneth Van Wyk (Nov 01)
- Mainframe Security ljknews (Nov 01)
- Mainframe Security Paul Powenski (Nov 01)
- Mainframe Security Johan Peeters (Nov 02)
- Mainframe Security ljknews (Nov 02)
- Message not available
- Message not available
- Mainframe Security ljknews (Nov 02)
- Microsoft Pushes Secure, Quality Code Gary McGraw (Oct 08)
- Microsoft Pushes Secure, Quality Code Steven M. Christey (Oct 08)
- Mainframe Security Glenn and Mary Everhart (Nov 02)
- Mainframe Security Gergely Buday (Nov 02)
- Mainframe Security Florian Weimer (Nov 02)
- Mainframe Security ljknews (Nov 02)
- Mainframe Security Florian Weimer (Nov 03)