David, Prove your claim reg. "Enterprise software". Give at least one sample. My claim is already proved. Nordea bank was penetrated from USS, LOG4J is an open source.
ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Sat, Jan 29, 2022 at 2:27 AM David Crayford <dcrayf...@gmail.com> wrote: > On 29/1/22 12:53 am, Phil Smith III wrote: > >> pipeline every time we merge into our development branch or master. > > > > > > I know YOU know this, David, but it bears stating explicitly: none of > these > > tools would (did) detect the log4j vuln. > > I'm cognizant to that. Humans find vulnerabilities. In the case of > log4shell it was a security researcher at Alibaba who then reported it > to Apache. > In the case of Shellshock, Heartbeat, Meltdown, Spectre etc it was > security researchers at google. Big tech offer bounties to anybody who > finds vulnerabilities in their products. > As soon as a 0day is found, it is reported to the maintainer and then > logged in the CVE database and disclosed to the world. Compare this to > IBM who have typically corporate > disclosure rules. A case in point is IBM rejecting a 0Day disclosure > which they said was "out of scope" with their disclosure rules and then > did a U-turn and blamed a process > error. > https://techmonitor.ai/techonology/cybersecurity/ibms-data-risk-manager > > ITschak is of the opinion that the mainframe is less secure because of > the use of open source software. I would argue that a lot of Enterprise > software is just as vulnerable. And in a lot of > cases more vulnerable because it is closed source doesn't have as many > eyes scrutinizing it. Others may have the opposite opinion. > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN