Peer review is a powerful tool for protection from this kind of abuse. Technically competent managers who can read and understand code (even if they don't actually do it any more) are another level that can be added. Senior-level technical code reviewers is another possible level of protection.
Where I work we use several of those protective mechanisms. I have been particularly grateful for peer review that saved me from embarrassing mistakes more than once. If you fear abuse you must allocate the resources to help prevent it. TAANSTAFL Peter -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Lizette Koehler Sent: Tuesday, December 19, 2017 2:12 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Cobol upgrade 6.2 linklist So, my opinion Once a dataset is in the linkst - depending on how it is controlled - someone could put other code in there that is not system friendly. So I have dataset, MYHLQ.USER.LOADLIB in the linklist. Now it is apf authorized. I use a package like Changemen to deploy to it, but it does not know what should not go there. I use all valid naming conventions for the process. But the code could be something "special". So USERA decides to create a program with an assembler subroutine that can filter data in a database and send to an unknown site. Or set up other issues in the system. USERA has the authority to deploy to that dataset. But who is controlling the source to ensure it does not do bad things. Just my thought Lizette > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of R.S. > Sent: Tuesday, December 19, 2017 6:08 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Cobol upgrade 6.2 linklist > > What is the risk of putting COBOL-compiled code into LINKLIST? > Let's assume LNKAUTH=LNKLST. > Such code will not perform any authorized instructions. It can be called from > another AC=1 code, but the problem is the module, not the COBOL code called. > What I'm missing? > > > -- > Radoslaw Skorupka > Lodz, Poland -- This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
