Topic
  • No replies
SystemAdmin
SystemAdmin
403 Posts

Pinned topic Secure coding standards for COBOL

‏2009-05-27T12:01:52Z |

Hi,
I am looking for secure coding standards for COBOL. Can some one help me ?
I have searched in internet and I am able to get it for C and JAVA. I am looking similar kind of standards for COBOL.
Below is the link which has C and JAVA standards.
https://www.securecoding.cert.org
Thanks,
Ravi

Updated on 2009-06-08T12:35:09Z at 2009-06-08T12:35:09Z by timhahn
  • jsayles
    jsayles
    86 Posts

    Re: Secure coding standards for COBOL

    ‏2009-05-27T14:51:22Z  

    Hi Ravi. This is an interesting question. I will research within IBM. I have two thoughts though, first:

    1. The ones I viewed in the Java/C/C++ sub-pages were mostly "Best Practices" - and didn't have THAT much to do with Secure - as in Security
    2. IBM COBOL - running under AIX, z/OS, IBM i, etc. represents back-end functionality - not directly address-able through hacking techniques like "SQL Injection" (which should be caught by Java, EGL or .NET front-ends

    Or am I missing some other point in your question?
  • SystemAdmin
    SystemAdmin
    403 Posts

    Re: Secure coding standards for COBOL

    ‏2009-05-28T04:57:02Z  
    • jsayles
    • ‏2009-05-27T14:51:22Z

    Hi Ravi. This is an interesting question. I will research within IBM. I have two thoughts though, first:

    1. The ones I viewed in the Java/C/C++ sub-pages were mostly "Best Practices" - and didn't have THAT much to do with Secure - as in Security
    2. IBM COBOL - running under AIX, z/OS, IBM i, etc. represents back-end functionality - not directly address-able through hacking techniques like "SQL Injection" (which should be caught by Java, EGL or .NET front-ends

    Or am I missing some other point in your question?

    Jsayles,
    Thanks for your reply.
    I just started thinking towards Secure coding standards for COBOL.
    All this disscsuion came when an incident happened in my customer place.
    1. Our application uses web-serviecs, in the front end we have Java and a IBM middle wear and in backend we have CICS, DB2 and COBOL.
    At the end of 2008, one hacker able to attack the web part of the application and started creating accounts, the data was so perfect that it passed thru all the validation in Java part and even it by passed all the security layer in the middle wear and entered Mainframe. Hacker was able to put all data into DB2 database.
    Even thought there were no finacial lose happend, it created a panic.
    Now the question brougth out is that Secure coding practice needs to be followed in the project.
    For this we are able to got info for most of the other technologies but I am not able to got any information with respect to COBOL and JCL
    Intialy I thought I go thru C secure coding standards and convert it to Cobol. This didn't wok out well.
    Now again I started to looking for information.
    Pls share me your thoughts with respect to Best coding practices... May be that will become a starting point for me..

  • papadi
    papadi
    22 Posts

    Re: Secure coding standards for COBOL

    ‏2009-05-31T05:01:25Z  

    Jsayles,
    Thanks for your reply.
    I just started thinking towards Secure coding standards for COBOL.
    All this disscsuion came when an incident happened in my customer place.
    1. Our application uses web-serviecs, in the front end we have Java and a IBM middle wear and in backend we have CICS, DB2 and COBOL.
    At the end of 2008, one hacker able to attack the web part of the application and started creating accounts, the data was so perfect that it passed thru all the validation in Java part and even it by passed all the security layer in the middle wear and entered Mainframe. Hacker was able to put all data into DB2 database.
    Even thought there were no finacial lose happend, it created a panic.
    Now the question brougth out is that Secure coding practice needs to be followed in the project.
    For this we are able to got info for most of the other technologies but I am not able to got any information with respect to COBOL and JCL
    Intialy I thought I go thru C secure coding standards and convert it to Cobol. This didn't wok out well.
    Now again I started to looking for information.
    Pls share me your thoughts with respect to Best coding practices... May be that will become a starting point for me..


    Hi,
    For my $.02, security is the job of the security software rather than the application.
    There are far more problems with application-level security than there are benefits.
    I believe that the time and effort invested in incorporating security measures in the application coding standards would be much better spent elsewhere.
    Keep in mind that 2 of the most common "security breaches" occur when an authorized user does intentional/accidental bad things or when someone clandestinely obtains some user id/pwd.
    Most organizations have someone or some group responsible for managing the security plan and that effort is by design outside the applications.
  • timhahn
    timhahn
    16 Posts

    Re: Secure coding standards for COBOL

    ‏2009-06-08T12:35:09Z  
    • papadi
    • ‏2009-05-31T05:01:25Z

    Hi,
    For my $.02, security is the job of the security software rather than the application.
    There are far more problems with application-level security than there are benefits.
    I believe that the time and effort invested in incorporating security measures in the application coding standards would be much better spent elsewhere.
    Keep in mind that 2 of the most common "security breaches" occur when an authorized user does intentional/accidental bad things or when someone clandestinely obtains some user id/pwd.
    Most organizations have someone or some group responsible for managing the security plan and that effort is by design outside the applications.

    Hello,
    From my perspective, application security is ensured through a combination of both secure programming (including design, implementation, testing, and maintenance of the software) as well as employing security products around an application.
    Further, secure programming concepts are language INdependent. What we often see written up, however, are secure programming concepts expressed and exhibited and explained using a particular programming language. With the current popularity of Java, most of the secure programming examples we see are describing using Java example code.
    But a failure to adequately check input parameters is a problem no matter what language is used to create the application. And so it is that "SQL injection" could afflict an application written in COBOL just as easily (or hard) as it could afflict an application written in Java or C or C++. The same can be said for cross-site scripting or escalation of privileges as well.
    What we happen to be seeing in the industry today is much more attention to user-interactive applications - so-called online transaction processing. Potential attackers often exploit such interfaces using computers to interact with interfaces that are intended for human interaction and thereby are able to exploit vulnerabilities in the interface which the application programmer was not expecting (flooding input characters, denial of service attacks, mal-formed input strings, excessive escape character sequences, etc.)
    We are also seeing a trend towards opening up various parts of existing application code using newly constructed/defined interfaces (aka web services). We must be diligent when modenizing our software to be used in these new ways to ensure that tasks such as input parameter checking, bounds checking, and no escalation of privilege are ensured even when these new interfaces are created. This will very likely require some new source code to be written to do such checking since the original application code may have assumed that all inputs had been checked prior to this part of the application being invoked.
    In summary, secure programming concepts and recommendations are language independent. Putting concepts into practice is very much language dependent, and when to employ which practices very much depends on the architecture, design, and interface points of the application itself. Those programmers familiar with Java and/or C and COBOL should be able to apply the examples from Java and/or C to their COBOL programs.
    Regards,
    Tim Hahn