Introduction
- A Brief History Lesson
- Limitations of COBOL
- Mainframe and COBOL Use Today
Understanding Security Principles
- Confidentiality, Integrity, and Availability
- Least Privilege
- Defense-in-Depth
- Creating Security Requirements and Test Cases
- Reusable Code
- Additional Resources
COBOL Security Myths
- Five COBOL Security Myths
- Myth 1: COBOL applications are not connected to the Internet.
- Myth 2: Common attack techniques do not apply to mainframe applications.
- Myth 3: COBOL applications are not responsible for input validation.
- Myth 4: COBOL performs automatic bounds-checking.
- Myth 5: Hackers are not interested in targeting COBOL applications.
- COBOL is not dead and the security risks are real.
Typical COBOL System Assets and Security implications
- Telnet
- FTP
- SNA and VTAM
- JCL
- RACF
- Additional Resources
Secure Input Validation and Data Representation
- Input Validation Goals and Techniques
- Trust Boundaries
- Data Representation
- Output Encoding
- Output Encoding Example
Secure Database Access
- Why Databases Are Business-Critical
- Best Practices for Database Access
- Parameterized Queries
- Using Least Privilege for Database Accounts
- Storing Database Access Credentials
- Preventing Privilege Escalation
- DB2 Security Concerns
- Further Learning
Secure Logging Practices
- How Keeping Accurate Logs Increases Security
- What to Log
- What Not to Log
- Additional Best Practices
- Preventing Log Tampering
- Example: Scrubbing Logs of Sensitive Information
Secure Error Handling
- Leaking Sensitive Information
- Failing to Clean Up
- Failing to Handle All Error Conditions
- Errors and System Functions
- Best Practices for Error Handling
- Example: Secure Error Handling
Course Conclusion