/I guess, only those which are know to the author. Or subset of them
"implemented" in the tool.
/z/Assure VAP is not a virus scanner. It does not use a list of known
vulnerabilities or code sequences to identify vulnerabilities.
Ray Overby
Key Resources, Inc
Ensuring System Integrity for z/Series
(312) 574-0007
On 9/9/2013 9:40 AM, Paul Gilmartin wrote:
On 2013-09-09, at 08:11, R.S. wrote:
On Mon, 9 Sep 2013 08:47:20 -0500, Ray Overby wrote:
There is a software product called z/Assure Vulnerability Analysis
Product that will allow a z/OS installation to identify
exposures/vulnerabilities in IBM, ISV, and installation written code.
I guess, only those which are know to the author. Or subset of them
"implemented" in the tool.
With this software product you can systematically check to see if an
exposure has been introduced with maintenance or a new release.
I don't know the tool, but I can imagine that in order to use it one needs
extra atuhorities.
See IBM DSMON reporting tool - you have to be authorized to use it.
I would guess that in accord with IBM's policies such a tool
would report only vulnerabilities for which IBM has a repair,
and perhaps report only the fixing APAR number, not the nature
of the vulnerability.
But it's possible that the intended (fe)malefactor has full access
to a test system which is a twin of the secured target system in
order to develop penetration tools.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
