-----------------------<snip>-----------------
From time to time I read on the list about companies which demand ISVs
to provide source code for SVC routines to analyze it from security
point of view.
While I don't know to much about z/OS 'guts', I'm wondering what is
the reason for that? Or rather, why the SVC code is so important,
while APF-authorized libraries are not subject to analyze. The same
apply to propgrams in SCHEDxx members.
AFAIK (I could be wrong) APF-authorized program can bypass security
rules, so it can be dangeours. Is SVC more dangerous ?
Last, but not least - neither SVC, nor 'regular' APF-authorized
program can do anything illegal when not instructed, so unless ISV
folks unlimited access to prod system it is like dangerous knife in my
safe.
Other possibility is that "backdoor" entry is disclosed by ISV to our
sysprogs. In fact it owuld be a confession to security hole.
---------------------<unsnip>----------------------
My last shop processed enough money in a week to pay the U. S. National
Debt, and NONE of that money was ours. We had to be like Caesar's wife,
Calpurnia. That is, not only be pure, but perceived to be pure by all
who beheld us. Security was held to be far more important than
performance by "The Powers That Be".
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
