Zowe is an open-source software framework that provides solutions that allow developers to securely manage, script, and develop on the mainframe as they would on cloud platforms. In this episode of TFiR: T3M, Swapnil Bhartiya catches up with Jakub Balhar, Chair of the Zowe TSC at Open Mainframe Project (OMP) and Principal Product Owner at Broadcom. The two met up at Open Mainframe Summit last year but now they have returned to talk about Zowe’s perspective on security and how the project is shaping the security ecosystem.
Zowe’s perspective on the security space:
- There is increased attention to how open-source software is developed securely and how it can be verified. Zowe is working to ensure the practices they do ensure the code and pieces that are produced or used in production are safe.
- Balhar explains the steps Zowe is taking in cleaning up problematic dependencies or utilizing security experts to resolve security issues.
Key security issues in mainframe and distributed:
- Privilege escalation is a serious issue for both mainframe and the distributed world. Phishing and stealing users’ authentication credentials are still prevalent. Balhar discusses the work they are doing with privilege escalation with the command line.
- The Enterprise Security Managers (ESMs) tend to be configured in a way that unless you have very specifically-added privileges by default, you do not have the rights. However, this is not always the case with distributed.
What has Zowe taken from the mainframe perspective?
- Zowe took some minor things from the mainframe perspective such as ensuring that they make sure people are configuring the solutions in a proper way. Mainframe projects provide security guidelines where every possible point that touches the key security mechanisms within the mainframe is outlined.
- The biggest concerns coming from the mainframe are what are the potential concerns and whether to accept them given the functionality you are looking for, and secondly, considering the dependency on the mainframe ESM.
- Two of the benefits of mainframe are that everything is propagated to a single flow of events, SMF records, and end-to-end encryption for the data in flight and data at rest is by default.
What is being done to tackle security issues?
- Open Mainframe Project, the Linux Foundation, and the OpenSSF work extensively with security projects, particularly with the specification of standards and expectations of the projects to follow. Education on security and developing secure code remains crucial, and they work extensively to educate developers on the potential risks.
- OpenSSF runs scripts on a weekly basis going through the practices and verifying the 1.5 million open-source products are healthy, with setups and configurations behaving correctly. This is integrated into their pipelines and discussions on adding new dependencies to their chain.
Awareness in the ecosystem about security considerations:
- Security talks and sessions in the conferences and shows are the best attended. Attendees fall into three groups: engineers deploying Zowe into the mainframe environment, application developers, and others living within the organization where Zowe is already deployed, and decision makers within companies.
- Interested parties can go to the www.zowe.org website to see how they handle security-related issues, and their policies are also published on the GitHub repository.
This summary was written by Emily Nicholls.