...
Our Static Analysis can handle very large COBOL Programs. Until now the largest program we analyzed was 193 MLOC in a single file. Example of vulnerabilities categories that can be detected for COBOL:
Access Control Database, Access Control DLI, Access Control MQSeries
Improper use of pointers
Deprecated, Unsupported or Obsolete Functions
Avoid dumping system information, Avoid debug statements, Log forging, DLI Log Forging
Code Injection, Command Injection, Queue Resource Injection
Cross-Site Scripting, UTF-7 Cross-Site Scripting, Stored Cross Site Scripting
Security Decisions Via Untrusted Inputs
Avoid non-portable statements
Avoid runtime subroutine calls, Call Settings Manipulation, Dynamic Code, Native Code/Library
Improper use of RANDOM
Poor error handling regarding: Ignored error condition, Multiple HANDLE ABEND, RESP, NOHANDLE
Unsafe FILE STATUS
Data truncation in MOVE
SQL Abuse (SQL Injection, SQL bad commands, System Variables manipulation, etc.)
Unsupported DBMS
EXEC CICS WEB Abuse
Header, Session or Cookies manipulation, HTTP Response Splitting/Tampering, URL Redirect,
File Upload, File Download, Server-Side Request Forgery, etc.)
Information Leakage, Log Forging
Privacy Violation
Password management/hardened credentials mistakes
Authentication mistakes
Code Injection, Command Injection, Resource Injection, XML Injection, File Injection
File Path manipulation
Invalid Process Control, Invalid Systems Calls, Dangerous COBOL/System commands
Unsecure Communications (missed SSL, Outgoing FTP, etc.)
Crypto-related vulnerabilities
CICS System Programming issues
XML parsing issues
Misconfigurations
Insecure Cryptography
Poor Input Validation
Integer Overflow
Unused Parameter, Unused Label, Unused PERFORM, Unused data structures
JCL
Example of vulnerabilities categories that can be detected for JCL:
Hardcoded Password (JCL)
Avoid Changing Password in a JOB (JCL)
Avoid assembler statements (JCL)
Avoid shell statements (JCL)
Avoid in-stream REXX statements (JCL)
Hardcoded JAVA key (JCL)
Absolute PATH in DD statement (JCL)
Hardcoded REXX key (JCL)
Avoid CEDA system commands (JCL)
Avoid CECI system commands (JCL)
Avoid CEMT system commands (JCL)
Avoid RACF activation (JCL)
Avoid access CICS TCPIP service (JCL)
Avoid mounting a filesystem (JCL)
Avoid REXX system commands (JCL)
Avoid EXEC of inline shell statements (JCL)
Avoid starting TomCat inside a task (JCL)
SQL-related issues
Avoid multiple JOB, JOBLIB, JCLLIB statements (JCL)
Empty conditional statement (JCL)
Incorrect JOB, EXEC, DDName name (JCL)
Obsolete DD keyword (JCL)
Obsolete OUTPUT DD LIKE statement (JCL)
PROCLIB not valid in JOB card (JCL)
Parameter not valid in JOB card (JCL)
Incorrect JOB accounting information (JCL)
Incorrect JOB CLASS, MSGCLASS, MSGLEVEL, PRIORITY (JCL)
Obsolete CARDS, CCSID parameter (JCL)
Avoid using &SYSUID (JCL)
Too much instream PROC in a JOB (JCL)
Obsolete DCB keyword (JCL)
Obsolete ROLL statement (JCL)
Unsupported statement (JCL)
Security
Once the analysis is terminated, you can view and manage the results. You can mark some vulnerabilities as False Positive, Suppress Vulnerabilities, and you can add Notes or change the Vulnerability’ Status.
...