a) I'm working from secondary resources (web pages, manuals, PDFs)b) I don't have access to a z/OS or similar system and thus cannot mock up a test environment to prove or disprove my hypotheses on how best to prevent certain classes of attack c) I really don't have a lot of experience with z/OS, COBOL, DB2, IMS, or CICS. Therefore, I could be missing some great resources and features.
Saying that, I have made a bit of headway by applying first principles and trying to discover what is available to assist and protect against certain threats and attacks. I've just posted a draft entry to my blog detailing the first (and I mean first) post I've had brewing since May this year. It's nowhere near as good as I would have liked.
I don't do exploits. You will not be seeing any "how to hax0rs b1g ir0n" from me. I don't see the relevance of arming script kiddies. Only the architects and developers need to know how to develop and maintain safer designs and code, and folks like me need to know what to look for to make sure it's in place.
That said, from my personal research, this area is a total greenfield. The folks who know mainframe security simply don't come out of their shells often enough. They have the goods, but the goods are not really well known amongst the architects and devs I've dealt with. Most of the business folks who ask for their shiny new dodgy code to talk to old dodgy transactions don't see this risk and refuse to pay to have qualified folks review and remediate the security of the mainframe side. They see it as this reliable old workhorse - which is not broke, so don't fix it. And in my personal experience, they NEVER fix it.
On another note, I'm really happy to see Fortify tackle the mainframe with their SCA products. It's really late and delayed, but better late than never. I know a bunch of sites that could use that tool if it works even 1% as well as the marketing is likely to make out.
thanks, Andrew van der Stock Executive Director, OWASP Project Lead & Author, OWASP Guide On Nov 2, 2007, at 1:45 PM, Peter G. Neumann wrote:
Searching through http://www.csl.sri.com/neumann/illustrative.html gives these COBOL-related RISKS items. The initial character descriptors are defined there. In the citations, * R relates to RISKS (archives at risks.org) * S relates to SIGSOFT Software Engineering Notes (archives at www.sigsoft.org/SEN/ although more recent items also in RISKS)Vf West Drayton ATC system bug found in 2-yr-old COBOL code (S 16 3, R 11 30)\$fe IRS COBOL reprogramming delays; interest paid on over 1,150,000 refunds(S 10 3:12) S[H?] Election frauds, lawsuits, spaghetti code, same memory locations used for multiple races simultaneously, undocumented GOTOs, COBOL ALTER verb allowing self-modifying code, calls to undocumented/unknown subroutines, bypassable audit trails (S 11 3); Report from the Computerized Voting Symposium, August 1986 (S 11 5) Sie Data transfer Excel-COBOL loses voter data in 2003 Greenville Mississippi election (R 22 95) \$hi Man gets \$218 trillion phone bill (R 24 24); COBOL program? (R 24 27,29,30,33) f Discussion of date and century roll-over problems: Fujitsu SRS-1050 ISDN display phones fail on two-digit month (10); 1401 one-character year field; COBOL improvements; IBM 360 (S 20 2:13) [See Fred Ballard and Walt Murray (R 16 70 ff).] [Lots of stuff is relevant on COBOL's two-character year field and the entire Y2K saga.] _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.phpSC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com )as a free, non-commercial service to the software security community. _______________________________________________
Andrew van der Stock Executive Director, OWASP Lead Author, OWASP Guide
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
