On 29/1/22 12:53 am, Phil Smith III wrote:
pipeline every time we merge into our development branch or master.
I know YOU know this, David, but it bears stating explicitly: none of these
tools would (did) detect the log4j vuln.
I'm cognizant to that. Humans find vulnerabilities. In the case of
log4shell it was a security researcher at Alibaba who then reported it
to Apache.
In the case of Shellshock, Heartbeat, Meltdown, Spectre etc it was
security researchers at google. Big tech offer bounties to anybody who
finds vulnerabilities in their products.
As soon as a 0day is found, it is reported to the maintainer and then
logged in the CVE database and disclosed to the world. Compare this to
IBM who have typically corporate
disclosure rules. A case in point is IBM rejecting a 0Day disclosure
which they said was "out of scope" with their disclosure rules and then
did a U-turn and blamed a process
error.
https://techmonitor.ai/techonology/cybersecurity/ibms-data-risk-manager
ITschak is of the opinion that the mainframe is less secure because of
the use of open source software. I would argue that a lot of Enterprise
software is just as vulnerable. And in a lot of
cases more vulnerable because it is closed source doesn't have as many
eyes scrutinizing it. Others may have the opposite opinion.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN