The Synopsys Software Integrity Group is now Black Duck®. Learn More

Foundations of COBOL Security

Course Description

This course covers the risks associated with COBOL systems and the myths associated with COBOL programming security. Topics covered include a taxonomy of system vulnerabilities as they apply to COBOL, as well as other security issues. It looks first at COBOL programming best practices, and then demonstrates how to avoid or mitigate vulnerabilities.

Learning Objectives

  • Recognize common security risks affecting COBOL programs
  • Identify security vulnerabilities in COBOL code
  • Write secure code to mitigate the risk

Details

Delivery Format: eLearning

Duration: 1 hour 30 minutes

Level: Beginner

Intended Audience

  • Architects
  • Back-End Developers
  • Front-End Developers
  • QA Engineers

Prerequisites:

Course Outline

Introduction

  • A Brief History Lesson
  • Limitations of COBOL
  • Mainframe and COBOL Use Today

Understanding Security Principles

  • Confidentiality, Integrity, and Availability 
  • Least Privilege
  • Defense-in-Depth
  • Creating Security Requirements and Test Cases
  • Reusable Code
  • Additional Resources

COBOL Security Myths

  • Five COBOL Security Myths
  • Myth 1: COBOL applications are not connected to the Internet.
  • Myth 2: Common attack techniques do not apply to mainframe applications.
  • Myth 3: COBOL applications are not responsible for input validation.
  • Myth 4: COBOL performs automatic bounds-checking.
  • Myth 5: Hackers are not interested in targeting COBOL applications.
  • COBOL is not dead and the security risks are real.

Typical COBOL System Assets and Security implications

  • Telnet
  • FTP
  • SNA and VTAM
  • JCL
  • RACF
  • Additional Resources

Secure Input Validation and Data Representation

  • Input Validation Goals and Techniques
  • Trust Boundaries
  • Data Representation
  • Output Encoding
  • Output Encoding Example

Secure Database Access

  • Why Databases Are Business-Critical
  • Best Practices for Database Access
  • Parameterized Queries
  • Using Least Privilege for Database Accounts
  • Storing Database Access Credentials
  • Preventing Privilege Escalation
  • DB2 Security Concerns
  • Further Learning

Secure Logging Practices

  • How Keeping Accurate Logs Increases Security
  • What to Log
  • What Not to Log
  • Additional Best Practices
  • Preventing Log Tampering
  • Example: Scrubbing Logs of Sensitive Information

Secure Error Handling

  • Leaking Sensitive Information
  • Failing to Clean Up
  • Failing to Handle All Error Conditions
  • Errors and System Functions
  • Best Practices for Error Handling
  • Example: Secure Error Handling

Course Conclusion

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster