COBOL SCA and Mainframes Security

53 views
Skip to first unread message

Ashish Chhabra

unread,
Aug 24, 2016, 2:36:33 PM8/24/16
to null
Hi All,

I need help in COBOL SCA and Mainframe Security. I am using Fortify to scan COBOL Code. Does COBOL has same sort of vulnerabilities like XSS, SQL etc. Any better way to find these issues while code auditing.

Can anyone plz help.

Thanks
Ashish

Sanoop Thomas

unread,
Aug 30, 2016, 3:15:50 AM8/30/16
to null-...@googlegroups.com
Hi Ashish, 

  If the code base you are analyzing is not native COBOL, rather works on top of any specific appliances, it is quite unlikely you find anything interesting from any of these automated scanners. I have often encountered the same issues as well. Most of the scanners with COBOL support doesn't do an impressive backtracking of variable/function references. It can still scans for single flat files in most of the cases and look for potential issues. if your code base has any business process involved that pull records by any supporting web application interfaces, it could be possible to find XSS, SQL issues. At the same time, these validation could also be found on the web application code base itself. Apparently, you can also look into COBOL specific bugs, but often you wouldn't have the complete architecture in the scope of assessment. Most of COBOL developers skip the validation completely and you could encounter truncation, file planting, usage of bad statement, business logic issues etc. Unfortunately all these should be done manually as far as I know. 

If you are interested, there's a developers forum where you can discuss more mainframe stuffs http://lists.midrange.com/mailman/listinfo/rpg400-l 
** security is not very good sound to them ** 
 
If you would need to discuss on this, feel free to reach me. 

Regards,
Sanoop  


  

--------------------------------
name     : "Sanoop Thomas", 
  title    : "Core Team/Moderator - Singapore Chapter",
  twitter  : "@s4n7h0", "@nullsingapore],
  web      : "Null Singapore Meetup", "null.con.in" ],
  email    : "s4n...@null.co.in"
}

--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
______________________________________________________________________________
se7enth edition of nullcon Goa (Mar 9-12, 2016)
http://nullcon.net
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/null-co-in.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages