COBOL, legacy code, and security scans

COBOL, legacy code, and security scans
 

One of the major problems in any organization is the oldest code hasn’t been tested against more newly discovered bugs. VB6, classic ASP, and even COBOL can be vulnerable to more modern flaws like SQL injection. As "Charles" writes on stack overflow,
 
“Non-parameterized dynamic statements are what you need to worry about…for example,
 
STRING "INSERT INTO TBL (a,b,c) VALUES (" X ", "Y ", "Z ")" INTO WSQLSTMT.
 
EXEC SQL PREPARE MYSTMT FROM :WSQLSTMT END-EXEC.
 
EXEC SQL EXECUTE MYSTMT END-EXEC. ”
 
In the above example, if the values X, Y, or Z were populated from a free-text CICS input field, a malicious user could compromise the system by typing a SQL injection attack string.
 
Because legacy platforms like CICS often contain critical business applications, adding their underlying COBOL code to the latest security scans is a good idea.

The photo above is of New York, NY, and is taken—like all photos on this website—with google maps.

Recent Posts

Poor data quality is like dirt on the windshield. You may be able to drive for a long time with slowly degrading vision, but at some point, you either have to stop and clear the windshield or risk everything.

Ken Orr