IBM Systems Magazine, Mainframe - January/February 2018 - SE28
Sponsored Advertising Content
Vulnerability Scanning is
Essential to z/OS Security
Security analysts tell you that a priority on the mainframe is securing your
applications through configuration vulnerability assessments. What they don't
know is that it only takes one zero-day code-based vulnerability in the z/OS* layer to
bypass everything you are doing to secure those applications and the source data
associated with those applications.
Key Resources Inc.
RAY OVERBY - PRESIDENT
Ray Overby is a recognized
authority on mainframe security
for IBM Z* environments.
Security professionals understand how to mitigate the risks caused by configurationbased vulnerabilities, but a code-based vulnerability assessment will lead you to the
realization that you have serious exposures. Code-based vulnerabilities allow hackers
(external or internal) to circumvent internal z/OS integrity controls as well as your
External Security Manager (ESM), and in some cases, you will never know they have
access to your applications and your data.
In the case of a storage-alteration vulnerability, an exploit program will allow
a non-authorized user the ability to modify OS memory. These locations would
include where the ESM (e.g., RACF*) keeps its security credentials. Code-based
vulnerabilities are caused by poor design and coding errors in programs that reside
in the mainframe's OS layer.
A comprehensive security compliance review of a mainframe system should
always include analysis for configuration-based and code-based vulnerabilities. The
balance between protection and vulnerabilities isn't static or even predictable; it's
impossible to monitor and comprehend consequences of vendor development and
maintenance streams. In the same way that PCs and servers need frequent scans
for malware, the mainframe needs periodic evaluation for exposures created by
configuration changes and vendor releases and patches. Failure to do both leaves
your mainframe system at risk.
Ensuring System Integrity
Remember, ensuring system integrity is outside the scope of the current external
security managers (ESMs). The ESMs were not designed to enforce your security
policy when an OS-layer code vulnerability is exploited and allows unauthorized
access to data.
Where does all of this lead? It surely does not undermine the mainframe's
well-deserved reputation for integrity; no other platform rivals what its integrated
architecture, development and maintenance philosophies, and fundamental
reliability mindset provides.
It does, however, recall sage advice: Trust but verify. Mainframes remain the ideal
platform for supporting business processes, especially for building future successes
(mobile, cloud, payment). Their use must include appropriate verification that the
system's architectural foundation-z/OS-provides no "basement kitchen window"
28 // 2018 Learn more at: ibmsystemsmag.com/buyersguide