memento Solarwind... David, I like your confidence. At Solarwind, twice the size of Rocket, the toxic code was injected during the build process, by someone(s) penetrated long before they started to interfere with code. BTW, the Solarwind attack was based on a vendor code, not open source.
ITschak ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Continuous Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon * On Thu, Jan 27, 2022 at 4:03 AM David Crayford <dcrayf...@gmail.com> wrote: > On 27/1/22 4:35 am, Tom Brennan wrote: > > Those are things we don't like to talk about :) > > Indeed! > > > > And even less talked about: What's to stop a trusted ISV or even IBM > > from being hacked or having a rogue employee that does the same? > > Absolutely nothing. Any executable code that runs authorized can contain > vulnerabilities. Some of our best guys, distinguished engineers etc run > our Secure Engineer training. We also use IBMs Secure Engineering > scanner which checks > executable code for vulnerabilities. I haven't used it but I attended a > training session and it can detect all sorts of nasties. You can see any > example of a z/OS security vulnerability it detected here > https://www.ibm.com/support/pages/apar/OA38586. > > I haven't checked lately but how many packages are there on the CBTtape > the switch to supervisor state key0 when they don't require key0? > Unfortunately, that was and still is quite a common practice. > > > > > > On 1/26/2022 11:41 AM, Gibney, Dave wrote: > >> If I was a long term bad actor, or perhaps a nation/state, I might > >> consider evaluating open source for useful/popular components. Then, > >> contribute to their development, spread, and usefulness, while > >> inserting subtle exploitable defects. > >> > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
