Zowe
Published in

Zowe

Secure Development Practices within Zowe

Red padlock on black computer by FLY:D

Secure requirements

  • Publish Software Bill of Materials (SBOM)
  • Publish Third-party Statement (TPSR) — Statement about all the products and packages that are used within the project.
  • Regularly analyze code with tools for static analysis
  • Regularly verify running applications with tools for dynamic analysis
  • Regularly conduct external security audits
Assorted color book lot by Maarten van den Heuvel

Secure development

Contributions to Zowe

Dependencies within Zowe

  1. The addition of new dependencies is discussed during the relevant squad call to limit the risks of introducing such dependencies. Introduction of such dependencies should also be addressed within the architecture working group if deemed significant.
  2. The codebase for any new dependencies is scanned and vulnerabilities in the current dependencies are determined weekly. Any discovered vulnerabilities are discussed within the security working group, and based on their severity, these vulnerabilities are planned for resolution. Medium and high-severity issues are usually fixed with the next minor release. Critical issues can result in a security patch version of Zowe.
  3. There is a process in place whereby third-parties reach out to zowe-security@lists.openmainframeproject.org to inform the TSC about security vulnerabilities within Zowe’s code. If the TSC finds any security risk introduced in the code, the committee publishes information via the standard process and lets all users know about the need to update.
  4. All vulnerabilities are published in Zowe Docs, specifying which vulnerabilities were fixed in the previous version. For example, when Zowe 1.28 was released, the vulnerabilities fixed in Zowe 1.27 were also published with this new release.

Conclusion

--

--

Zowe is the modern open source interface for the mainframe and z/OS. The Zowe blog has how-to’s, tips & tricks and other helpful insights for mainframe devops. Zowe is a project within the Linux Foundation’s Open Mainframe Project (OMP). Download @ Zowe.org.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jakub Balhar

I always try to find answers to the complex questions. Now exploring the world of Mainframes in the Broadcom inc.