On 27/1/22 2:35 pm, ITschak Mugzach wrote:
memento Solarwind... David, I like your confidence.
What I am confident about is that if any vulnerability is discovered our
infosec team will use BlackDuck to detect all of our products that need
to be patched.
At Solarwind, twice the
size of Rocket, the toxic code was injected during the build process, by
someone(s) penetrated long before they started to interfere with code. BTW,
the Solarwind attack was based on a vendor code, not open source.
And how did the system get penetrated to inject the malicious code?
Social engineering? What I find disconcerting is that nobody noticed
malicous code in the code reviews and pull requests.
ITschak
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Continuous Monitoring
for z/OS, x/Linux & IBM I **| z/VM coming soon *
On Thu, Jan 27, 2022 at 4:03 AM David Crayford <dcrayf...@gmail.com> wrote:
On 27/1/22 4:35 am, Tom Brennan wrote:
Those are things we don't like to talk about :)
Indeed!
And even less talked about: What's to stop a trusted ISV or even IBM
from being hacked or having a rogue employee that does the same?
Absolutely nothing. Any executable code that runs authorized can contain
vulnerabilities. Some of our best guys, distinguished engineers etc run
our Secure Engineer training. We also use IBMs Secure Engineering
scanner which checks
executable code for vulnerabilities. I haven't used it but I attended a
training session and it can detect all sorts of nasties. You can see any
example of a z/OS security vulnerability it detected here
https://www.ibm.com/support/pages/apar/OA38586.
I haven't checked lately but how many packages are there on the CBTtape
the switch to supervisor state key0 when they don't require key0?
Unfortunately, that was and still is quite a common practice.
On 1/26/2022 11:41 AM, Gibney, Dave wrote:
If I was a long term bad actor, or perhaps a nation/state, I might
consider evaluating open source for useful/popular components. Then,
contribute to their development, spread, and usefulness, while
inserting subtle exploitable defects.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
