Although the mainframe is inherently secure, the way applications are developed has evolved over the last 15-20 years. The use of modern languages and open source software has created challenges in maintaining the security not just of the platform, but of the entire software supply chain.
In this episode of TFiR Mainframe Matters recorded at the Open Mainframe Summit in Philadelphia, Swapnil Bhartiya sits down with Emre Tunar, Director of Software Engineering at Broadcom, to discuss mainframe security.
Key highlights of this video interview:
- Mainframe was originally built as a secure platform. However, the way applications are developed has changed and has opened the platform to the rest of the enterprise. This has created new attack surfaces and risks for mainframe users.
- Supply chain attacks have been at the forefront of cybersecurity discussions in recent times. There are a lot of initiatives around addressing these challenges, including the US government issuing an executive order last year requiring agencies to enhance cybersecurity and software supply chain integrity.
- The community is responding to security risks with new standards and providing visibility into what is in the software, enabling better tracking of vulnerabilities.
- Whose responsibility is it to secure the supply chain continues to be a hot topic. Tunar discusses how vendors need to own the supply chain they deliver to their customers and open source projects need to own their own supply chain. However, there is a lack of standardization, and more work needs to be done around visibility and transparency.
- While there is more transparency since Biden’s executive order, Tunar feels there should be a balance between disclosure and transparency and creating additional risk, especially around zero-days.
- Increase in open-source usage within the mainframe also increases the risk of security vulnerabilities. Following best practices for patching software and having a maintenance program in place are critical.
- Tunar’s advice for new developers coming into the mainframe community is to embrace the security-first mindset, i.e., embrace the security value proposition of the platform and contribute to it. He suggests educating themselves on how to write secure software, and understanding the security and vulnerability management standards.
The summary of the show is written by Emily Nicholls.