Secure Coding mailing list archives
Mainframe Security
From: ljknews at mac.com (ljknews)
Date: Fri, 2 Nov 2007 09:27:59 -0400
At 2:16 PM +0100 11/2/07, Johan Peeters wrote:
I have been looking at an IBM system. If I do something like this ... 01 txt PIC X(120) .... string '**' into txt end-string display txt I get to see ** on sysout followed by what appears to be selected contents of the data section. This strikes me as somewhat worrysome - it reminds me of the format string vulnerabilities in C. Am I just being paranoid?
A program that improperly releases data due to programmer error is beyond what I consider to be the realm of security. To me that is merely bad programming. To me the criterion is whether an outsider can cause a program to do something other than what it does for normal users. Some secret back door password that causes organizational secrets to be released would be a Trojan horse. A typical method of controlling that is with the security controls on a database, so only authorized users can read the "company secret" field, no matter how badly the application programmer messes up. -- Larry Kilgallen
Current thread:
- Microsoft Pushes Secure, Quality Code, (continued)
- Microsoft Pushes Secure, Quality Code Gary McGraw (Oct 08)
- Microsoft Pushes Secure, Quality Code Steven M. Christey (Oct 08)
- Microsoft Pushes Secure, Quality Code J.M. Seitz (Oct 08)
- Microsoft Pushes Secure, Quality Code Romain Gaucher (Oct 09)
- Mainframe Security McGovern, James F (HTSC, IT) (Nov 01)
- Mainframe Security Johan Peeters (Nov 01)
- Mainframe Security Kenneth Van Wyk (Nov 01)
- Mainframe Security ljknews (Nov 01)
- Mainframe Security Paul Powenski (Nov 01)
- Mainframe Security Johan Peeters (Nov 02)
- Mainframe Security ljknews (Nov 02)
- Message not available
- Message not available
- Mainframe Security ljknews (Nov 02)
- Microsoft Pushes Secure, Quality Code Gary McGraw (Oct 08)
- Mainframe Security Glenn and Mary Everhart (Nov 02)
- Mainframe Security Gergely Buday (Nov 02)
- Mainframe Security Florian Weimer (Nov 02)
- Mainframe Security ljknews (Nov 02)
- Mainframe Security Florian Weimer (Nov 03)
- Mainframe Security Andrew van der Stock (Nov 17)
- Mainframe Security Edward N Schofield (Nov 01)
- Microsoft Pushes Secure, Quality Code Gunnar Peterson (Oct 09)