On 2013-09-09, at 08:11, R.S. wrote: > >> On Mon, 9 Sep 2013 08:47:20 -0500, Ray Overby wrote: >> >>> There is a software product called z/Assure Vulnerability Analysis >>> Product that will allow a z/OS installation to identify >>> exposures/vulnerabilities in IBM, ISV, and installation written code. >>> > I guess, only those which are know to the author. Or subset of them > "implemented" in the tool. > >>> With this software product you can systematically check to see if an >>> exposure has been introduced with maintenance or a new release. >> > I don't know the tool, but I can imagine that in order to use it one needs > extra atuhorities. > See IBM DSMON reporting tool - you have to be authorized to use it. > I would guess that in accord with IBM's policies such a tool would report only vulnerabilities for which IBM has a repair, and perhaps report only the fixing APAR number, not the nature of the vulnerability.
But it's possible that the intended (fe)malefactor has full access to a test system which is a twin of the secured target system in order to develop penetration tools. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN