Re: Code vulnerability
That's actually not crazy, and matches what Tripwire and friends do IIRC. As opposed to a long-ago QA person who would compare each file from each release and demand explanations for each new or changed file. Since this was VM and the products included source code, the conversation would go like this: "What about this one?" "That's a source change. Just like the next 27 files." "OK, then what about this one?" "That's the AUX file that lists those changes." "OK, then what about this one?" "That's the executable that was built from the source code we just discussed." After spending an hour on this once, I explained to my VP that I wasn't going to do it again, as it wasn't adding any value. I had an automated system that notified me of files changed/added in the release, and would examine those myself to be sure nothing was obviously borked. Fortunately for all involved, he agreed with me. On Sat, Dec 8, 2018 at 8:58 PM Jeremy Nicoll wrote: > On Sat, 8 Dec 2018, at 19:28, Paul Gilmartin wrote: > > > "ZAP" is a key word. How does one guarantee that any program in any > language > > hasn't been ZAPped after passing audit? > > Twenty years or so ago the bank I worked at ran an audit tool which stored > a hash or checksum of every loadmodule, and each time the tool was run > someone had to sign-off each such detected change. > > > > https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf > > Sneaky! > > > -- > Jeremy Nicoll - my opinions are my own. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- zMan -- "I've got a mainframe and I'm not afraid to use it" -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Code vulnerability
On Sat, 8 Dec 2018, at 19:28, Paul Gilmartin wrote: > "ZAP" is a key word. How does one guarantee that any program in any language > hasn't been ZAPped after passing audit? Twenty years or so ago the bank I worked at ran an audit tool which stored a hash or checksum of every loadmodule, and each time the tool was run someone had to sign-off each such detected change. > https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf Sneaky! -- Jeremy Nicoll - my opinions are my own. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Code vulnerability
On Sat, 8 Dec 2018 21:09:42 +0200, Binyamin Dissen wrote: >I don't believe this tool would be appropriate for the OP as it detects system >objects (for the lack of a better term) that allow inappropriate privilege >elevation or storage access. Application code would not benefit from this >tool. You may be right, I don't think the OP has told us yet what kind of applications he's talking about, and I recall at least one vendor having previously mentioned using COBOL and HLASM for authorized STC code. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IBM sells software portfolio including Notes and Domino to HCL for $1.8b | ZDNet
On the bright side, committed IBM shops may be able to move off Lotes to a real email system. On Fri, Dec 7, 2018 at 11:59 AM Dave Jones wrote: > > https://www.zdnet.com/article/ibm-sells-software-portfolio-including-notes-and-domino-to-hcl-for-1-8b/ > > DJ > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- zMan -- "I've got a mainframe and I'm not afraid to use it" -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Code vulnerability
On Sat, 8 Dec 2018 18:18:04 +, Rugen, Len wrote: >I guess you could write assembler code entirely with > DCX'.' > Don't do that! RLDs? Location independent code? >The use ZAP to maintain it :-) > "ZAP" is a key word. How does one guarantee that any program in any language hasn't been ZAPped after passing audit? https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Code vulnerability
I don't believe this tool would be appropriate for the OP as it detects system objects (for the lack of a better term) that allow inappropriate privilege elevation or storage access. Application code would not benefit from this tool. On Sat, 8 Dec 2018 11:13:46 -0600 Steve Beaver wrote: :>I have known Ray Overby for years. :> :>He has a tool that he leases that more looks at the zOS and zOS Program Product level :> :>-Original Message- :>From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Richard Way :>Sent: Friday, December 7, 2018 4:39 PM :>To: IBM-MAIN@LISTSERV.UA.EDU :>Subject: Re: Code vulnerability :> :>I currently work for Micro Focus, and we have the "Fortify" product line. I am NOT in that group, however, and I really don't know if it does what you are looking for or not - although I know it does have support for scanning mainframe COBOL for vulnerabilities. I don't know about HLASM. :> :>Something you may want to explore, if you haven't already investigated it. :> :>Rich Way :> :>-Original Message- :>From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Steve Smith :>Sent: Friday, December 07, 2018 2:14 PM :>To: IBM-MAIN@LISTSERV.UA.EDU :>Subject: Re: Code vulnerability :> :>Depends on what kind of vulnerability you're looking for. z/OS itself isn't the only valuable thing you have. :> :>sas :> :>On Fri, Dec 7, 2018 at 2:11 PM Charles Mills wrote: :> :>> Ray Overby at Key Resources, Inc. :>> :>> Charles :>> :>> :>> -Original Message- :>> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] :>> On Behalf Of scott Ford :>> Sent: Friday, December 7, 2018 10:04 AM :>> To: IBM-MAIN@LISTSERV.UA.EDU :>> Subject: Code vulnerability :>> :>> All, :>> :>> We write in Enterprise Cobol and HLASM and had a reseller asked us if :>> we scanned our Cobol code and HLASM code for vulnerabilities ..Does :>> software for this exist ? I know according to one of our people :>> Sonarcube can do Cobol scans, but is expensive , like $5. :>> :>> Has anyone heard on any other software does this function and what :>> would they be looking for since we dont use and third party libraries ? :>> :>> Best Regards, :>> :>> *IDMWORKS * :>> :>> Scott Ford :>> :>> z/OS Dev. :>> :>> :>> :>> :>> By elevating a friend or Collegue you elevate yourself, by demeaning :>> a friend or collegue you demean yourself :>> :>> :>> :>> www.idmworks.com :>> :>> scott.f...@idmworks.com :>> :>> Blog: www.idmworks.com/blog :>> :>> :>> :>> :>> :>> *The information contained in this email message and any attachment :>> may be privileged, confidential, proprietary or otherwise protected :>> from disclosure. If the reader of this message is not the intended :>> recipient, you are hereby notified that any dissemination, :>> distribution, copying or use of this message and any attachment is :>> strictly prohibited. If you have received this message in error, :>> please notify us immediately by replying to the message and :>> permanently delete it from your computer and destroy any printout :>> thereof.* :>> :>> -- :>> For IBM-MAIN subscribe / signoff / archive access instructions, send :>> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN :>> :>> -- :>> For IBM-MAIN subscribe / signoff / archive access instructions, send :>> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN :>> -- Binyamin Dissen http://www.dissensoftware.com Director, Dissen Software, Bar & Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Code vulnerability
I guess you could write assembler code entirely with DCX'.' The use ZAP to maintain it :-) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Code vulnerability
I have known Ray Overby for years. He has a tool that he leases that more looks at the zOS and zOS Program Product level -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Richard Way Sent: Friday, December 7, 2018 4:39 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Code vulnerability I currently work for Micro Focus, and we have the "Fortify" product line. I am NOT in that group, however, and I really don't know if it does what you are looking for or not - although I know it does have support for scanning mainframe COBOL for vulnerabilities. I don't know about HLASM. Something you may want to explore, if you haven't already investigated it. Rich Way -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Steve Smith Sent: Friday, December 07, 2018 2:14 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Code vulnerability Depends on what kind of vulnerability you're looking for. z/OS itself isn't the only valuable thing you have. sas On Fri, Dec 7, 2018 at 2:11 PM Charles Mills wrote: > Ray Overby at Key Resources, Inc. > > Charles > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > On Behalf Of scott Ford > Sent: Friday, December 7, 2018 10:04 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Code vulnerability > > All, > > We write in Enterprise Cobol and HLASM and had a reseller asked us if > we scanned our Cobol code and HLASM code for vulnerabilities ..Does > software for this exist ? I know according to one of our people > Sonarcube can do Cobol scans, but is expensive , like $5. > > Has anyone heard on any other software does this function and what > would they be looking for since we dont use and third party libraries ? > > Best Regards, > > *IDMWORKS * > > Scott Ford > > z/OS Dev. > > > > > “By elevating a friend or Collegue you elevate yourself, by demeaning > a friend or collegue you demean yourself” > > > > www.idmworks.com > > scott.f...@idmworks.com > > Blog: www.idmworks.com/blog > > > > > > *The information contained in this email message and any attachment > may be privileged, confidential, proprietary or otherwise protected > from disclosure. If the reader of this message is not the intended > recipient, you are hereby notified that any dissemination, > distribution, copying or use of this message and any attachment is > strictly prohibited. If you have received this message in error, > please notify us immediately by replying to the message and > permanently delete it from your computer and destroy any printout > thereof.* > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- sas -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Code vulnerability
As another candidate, AppScan Source supports COBOL, but I'm not sure about Assembler. That's quite technically tricky. Timothy Sipples IT Architect Executive, Industry Solutions, IBM Z & LinuxONE E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
