Nobody said it was immune and you sell z security which is quite a conflict of interest.
Sent from Yahoo Mail for iPhone On Thursday, May 30, 2019, 9:17 AM, Ray Overby <rayove...@comcast.net> wrote: In response to "Ideed, IF you know such trap door, you know z/OS vulnerability, which proves the platform is not immune. Is it as vulnerable as Windows? No, because it's still not binary, some systems are still more secure than others." In my opinion (I am biased) z/OS is the most secure-able platform that I know of. Secure-able (is that a word?) does not mean that the platform does not have vulnerabilities (configuration and code based). There are many people that think just like Bill Johnson. Most of them that I have met and talked with when presented with forensic evidence that shows their systems have trap doors they have accepted it (They had to report the problem to vendor and then apply fix - Trust but verify ;-)). Due to the way this industry treats integrity problems that cannot currently be done publicly. In response to "Last, but not least: assuming you know such trap door. Or even several trap doors. What next?" a) I don't submit any trap doors vulnerabilities to any vendors due to the contractual nature around how and when these vulnerabilities are found. I am restricted to what I can disclose to whom. The companies that license the software report the issue. b) Vendors provide a fix for trap doors in their products. I do not fix the Vendors code. I have not been asked to fix any installation written code for vulnerabilities but would if asked to. c) If Vendor does not fix the trap door then company can now make an informed decision about whether to a) assume the risk and keep the product or b) remove the product from the system. Having the vulnerability classification and knowing the capability of a trap door should allow the company to have meaningful internal discussions about the issue and decide what is best for the company. These internal discussion can now include management, Security, Risk, Pen testers and C level people all because of the vulnerability classification (TRAP DOOR) will allow more people to understand the issue. I would argue that allowing a company to understand the vulnerability risk and make an informed decision in the company's best interest would be very valuable to any company in that situation. On 5/30/2019 6:01 AM, R.S. wrote: > As Shmuel said an application with a trap door is an application > vulnerability. > Ideed, IF you know such trap door, you know z/OS vulnerability, which > proves the platform is not immune. Is it as vulnerable as Windows? No, > because it's still not binary, some systems are still more secure than > others. > > Last, but not least: assuming you know such trap door. Or even > several trap doors. What next? > a) you submitted it to IBM and they are trying to fix it. > b) despite of a) you know how to fix it by homegrown > code/configuration/procedure and you offer it as a service. > c) the trap door cannot be fixed and then your services are disputable > - you cannot help. > > Of course the above *regards only the trap doors you know*, not your > services portfolio. > Besides that you can provide many valuable services regarding > security, but not platform issues, rather people mistakes, > misconfigurations, erroneous procedures, etc. > It is worth to emphasize: while z/OS is quite secure, it may be quite > complex to configure it properly. And here there is a field for Ray, > ITschak, RSM Partners, me, etc. > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
