Re: zSecure Audit Concern with EJES SVC

[Edward Jaffe]

Ulrich Boche wrote:
Recently, I ran a zSecure Audit MVS Tables status scan and one of its 
findings was the following:

I have never heard of zSecure.


My question now is, and maybe Ed Jaffe can take a look at that, what 
is this SVC doing that it gets such bad press from zSecure? I neither 
have the source code of this SVC nor am I among the chosen few who can 
judge the security and integrity of SVCs and other authorized code. 
However, we need to know if there is an issue here.

Here is an excerpt from our system integrity statement:

"(E)JES maintains MVS system integrity using key controlled storage 
protection, TCB dispatchability management, locking, and other 
facilities provided by the operating system to ensure users and programs:
o cannot bypass the hardware isolation functions that protect other 
users or programs
o cannot obtain control in an authorized execution state
o cannot bypass the system-level security functions provided by IBMs 
Security Server (RACF) or OEM equivalent product

Phoenix Software International began using these programming techniques 
for (E)JES in 1993. Our commitment to MVS system integrity has remained 
unchanged since that time.

Any MVS system integrity exposure found by our customers will be 
resolved as a high-severity problem by Phoenix Software International."

If you would like me to send a letter containing this system integrity 
statement, please send me the contact details off-list.

--
Edward E Jaffe
Phoenix Software International, Inc
5200 W Century Blvd, Suite 800
Los Angeles, CA 90045
310-338-0400 x318
edja...@phoenixsoftware.com
http://www.phoenixsoftware.com/

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html