Top Banner
© Arcati Limited, 2018 1 Arcati Mainframe Yearbook 2018 The Arcati Mainframe Yearbook 2018 The independent annual guide for users of IBM mainframe systems SPONSORED BY: PUBLISHED BY: Arcati Limited 19 Ashbourne Way Thatcham Berks RG19 3SJ UK Phone: +44 (0) 7717 858284 Fax: +44 (0) 1635 881717 Web: http://www.arcati.com/ E-mail: mainframe@arcati.com
35

Arcati Mainframe Yearbook 2007Arcati Mainframe Yearbook ... · emails hacked. The WannaCry global ransomware attack locked computers and delivered messages demanding $300 in Bitcoins

Jul 14, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
  • © Arcati Limited, 2018 1

    Arcati Mainframe Yearbook 2007Arcati Mainframe Yearbook 2018

    Mainframe strategy

    The Arcati Mainframe Yearbook 2018

    The independent annual guide for users of IBM mainframe systems

    SPONSORED BY: PUBLISHED BY:

    Arcati Limited19 Ashbourne WayThatchamBerks RG19 3SJUK

    Phone: +44 (0) 7717 858284Fax: +44 (0) 1635 881717Web: http://www.arcati.com/E-mail: mainframe@arcati.com

    mailto:sales%40sdsusa.com?subject=mailto:mainframe%40arcati.com?subject=http://www.actionsoftware.com/http://www.arcati.comhttp://www.arcati.comhttp://dkl.com/arcati18http://www.compuware.com/http://www.fisc.com/http://www.softwareag.com/https://www.krisecurity.com/http://www.sdsusa.comhttp://www.hostbridge.com/http://ubs-hainer.com/http://www.epvtech.com/http://itech-ed.comhttp://www.azamoursolutions.com%20

  • © Arcati Ltd, 20182

    Arcati Mainframe Yearbook 2018

    Mainframe strategy

    ContentsWelcome to the Arcati Mainframe Yearbook 2018 ............................................................ 3Staying secure and compliant ........................................................................................... 5How to Ditch Waterfall for DevOps on the Mainframe ................................................... 10Health Solutions Provider Accelerates Integration, Sparks IT

    Collaboration Using Server-Side JavaScript ............................................................. 16z/OS Code Scanning Is Essential to System z® Security ............................................. 21DevOps for the mainframe................................................................................................ 27‘Reports of my death have been greatly exaggerated’ .................................................. 33

    The 2018 Mainframe User Survey .................................................................................... 36An analysis of the profile, plans, and priorities of mainframe users

    Vendor Directory ............................................................................................................... 52Vendors, consultants, and service providers in the z/OS environment

    A guide to sources of information for IBM mainframers ............................................ 136Information resources, publications, social media, and user groups for the z/OS

    environment

    Glossary of Terminology ................................................................................................ 142Definitions of some mainframe-related terms

    Mainframe evolution ........................................................................................................ 173Mainframe hardware timeline 1952-2017; mainframe operating system development

    Action Software 55, 56Azamour Solutions 61, 141Compuware Corporation 10, 72Data Kinetics 51, 76 EPV Technologies 83Fischer International Systems Corporation 85

    Hostbridge Technology 16, 92Key Resources Inc 21, 99Software AG 27, 120Software Diversified Services 4, 121UBS Hainer 129, 130

    SPONSORS

  • © Arcati Limited, 2018 3

    Arcati Mainframe Yearbook 2007Arcati Mainframe Yearbook 2018

    Mainframe strategy

    We are very grateful – as always – to all those who have contributed this year by writing articles, taking part in our annual user survey, or updating their company profiles. In particular, I must thank the sponsors and advertisers, without whose support this Yearbook would not be possible.

    2017 seems to be picking up where 2016 left off and there seems to be a spring in the step of the mainframe world. Vendors, who never claim business is a bit flat anyway, seem to have bigger smiles when they tell me that business has been good. And at user group meetings, sites seem to be trialling newer software and techniques, whereas before there had been a certain reluctance to try anything new.

    On the downside, of course, the IT world has been reeling from ransomware and other cyber attacks. In June 2017 Wannacry locked computers and messages appeared demanding $300 in Bitcoins to regain access. We also heard in 2017 that Members of the British Parliament had had their e-mails hacked. Deloitte was hit by a cyberattack, which accessed e-mails, usernames, passwords, health information, and details from Deloitte’s clients. Equifax had 143 million customer account details, including names, social security numbers, drivers’ licences, and credit card numbers of around 200,000 people hacked. And the list goes on.

    In July, IBM announced the new Z14 processor and we all started saying “pervasive encryption”. The new mainframe had more total system capacity compared to the z13; faster uniprocessor performance than the z13; 170 cores to configure (141 on z13); up to 32TB of available Redundant Array of Independent Memory (RAIM) real memory per server; 2x more on-chip cache per core, compared to z13; hardware accelerated encryption on every core with the Central Processor Assist for Cryptographic Function (CPACF) feature; new instructions in Single Instruction Multiple Data (SIMD) which are designed to give a performance boost for traditional workloads using COBOL and new applications like analytics; and much much more.

    But what is pervasive encryption? It doesn’t have an official definition, but generally means the ability to encrypt everything everywhere without interfering with the user experience. The new IBM Z14 mainframe can do real-time encryption of all mobile transactions up to 12 billion encrypted transactions per day. The new mainframe has an encryption engine, which gives a 7 times increase in cryptographic performance over the z13, with a 4 times increase in silicon dedicated to cryptographic algorithms. It protects encryption keys with so-called tamper responding hardware, which invalidates keys at any sign of meddling, and IBM says they can be safely restored later. This capability can be extended outside the Z14 to storage systems and servers in the cloud. A Secure Service Container is claimed to protect against insider threats from contractors and privileged users, providing automatic data and code encryption in-flight and at-rest, and tamper-

    The Arcati Mainframe Yearbook 2018

    Publisher: Mark LillycropEditorial Director: Trevor EddollsContributors: SDS, Compuware, Hostbridge, Ray Overby, Zvonimir Ivanetic, Mark Wilson

    © 2018, Arcati Limited.

    All company and product names mentioned in this publication remain the property of their respective owners.

    This Yearbook is the copyright of Arcati Limited, and may not be reproduced or distributed in whole or in part without the permission of the owner. A licence for internal e-mail or intranet distribution may be obtained from the publisher. Please contact Arcati for details.

    Welcome to the Arcati Mainframe Yearbook 2018

  • © Arcati Ltd, 20184

    Arcati Mainframe Yearbook 2018

    Mainframe strategy

    resistance during installation and runtime. The Z14 can “pervasively encrypt data associated with any application, cloud service, or database all the time”.

    The new processor lifted IBM’s spirits, as did its third quarter figures in October, which registered a strong recovery following a weak first half of the year. There was a 0.4 percent decline in revenue, to $19.15bn, and IBM’s pro forma earnings per share rose 11 per cent to $3.30. In the third quarter, revenue from the strategic initiatives (cloud, analytics, mobile, social and security) rose 11 percent. Cloud now represents 20 percent of IBM’s total revenue. Revenue from the mainframe business jumped 60 percent in the third quarter. The Z14 began shipping in mid-September.

    IBM has been much less acquisitive in 2017, with only three companies. Firstly, in February it acquired Agile 3 Solutions for its Information security business. In May it acquired German-owned XCC (a division of TIMETOACT) for its collaboration software. And in October it acquired Australian Vivant Digital for its innovation consultancy business.

    In terms of big software announcements, during the year, IBM announced CICS Transaction Server for z/OS Version 5.4. And the company also announced IMS 15.

    2017 seems to have been the year when IBM changed case! Things that used to be capitalized no longer are, and things that weren’t capitalized are now. People still talk about System z, which changed its name to z Systems, but is now IBM Z (yes, that’s a capital). Or what about DB2, or, as we should now call it, Db2? The ‘b’ is now lowercase – putting the emphasis on the data and not on the base.

    2017 also saw hackathons becoming more mainstream and a way for large organizations to offer better service to their customers. Whereas much mainframe software is still developed using waterfall methodologies, where two years could elapse between the identification of requirements and an application being delivered – and by then, the circumstances that led to the need for the software could be very different. For a hackathon to be successful, the existing technology needs to be commoditized and abstracted. APIs are the driver. And if the product that’s created by the end of the hackathon doesn’t work, then it can be treated as a learning experience for the people working on that project. For example Citibank runs Citi mobile challenges. These get people to look at different ways people can consume their banking services – it’s a way to get the next big idea from people outside their company. And Ciitbank can then monetize the ideas. Blockchain is great for hackathons because it is digital and secure.

    As well as pervasive encryption, other words or acronyms people in 2017 were starting to use in connection with mainframes include: Swagger, Bluemix, GitHub, Jenkins, blockchain, GDPR, SIEM, Enterprise Content Management (ECM), Destruction Of Service (DeOS) attacks, Docker, Digital Transformation (DX), edge computing

    It’s interesting to see what Gartner highlights as the three most dominant trends in 2017. They are Artificial Intelligence (AI) Everywhere, Transparently Immersive Experiences, and Digital Platforms. In addition, Gartner believes that the key platform-enabling technologies to look out for are 5G, Digital Twin, Edge Computing, Blockchain, IoT Platforms, Neuromorphic Hardware, Quantum Computing, Serverless PaaS, and Software-Defined Security. It’s interesting to see how many of those we see on mainframes already.

    So it looks like the mainframe industry is getting its old buzz back. And with that in mind, I can confidently predict that 2018 will be an interesting year, and that the mainframe will continue to offer outstanding performance and reliability, and be at the heart of the world’s business-critical applications

  • © Arcati Limited, 2018 5

    Arcati Mainframe Yearbook 2007Arcati Mainframe Yearbook 2018

    Mainframe strategy

    Staying secure and compliantSDS takes a look at the security challenges that mainframe sites are facing and suggests ways for z/OS users to stay safe.

    THE BACKGROUNDThe quality of data stored on a mainframe can be the difference between those companies that successfully continue in business and those that don’t. That data might include information about customers, their purchasing preferences, how much they like to spend, where they live, and what loans they have taken out. There may also be information about your suppliers, where they’re based, and how much they charge you for whatever they’re supplying. Each piece of that data could be useful to your competitors and to criminals. That’s why it’s so important to keep data secure. And you must be able to prove that your data is secure because it’s how you show that you’re compliant with all the regulations that apply to your industry.

    Is hacking that much of a problem? Just in 2017, members of the British Parliament had their emails hacked. The WannaCry global ransomware attack locked computers and delivered messages demanding $300 in Bitcoins to regain access. U.S. pharmaceutical giant Merck said that its network had been “compromised.” Norway’s national security agency said ransomware was affecting an unnamed “international company” in the country. And Rosneft, a Russian government-owned oil firm, said it was also targeted by a “massive hacker attack” on its servers.

    Global consultancy firm Deloitte was hit by a cyberattack, which accessed emails, user names, passwords, health information, and details from Deloitte’s clients. Consumer credit score company Equifax had hackers access up to 143 million customer account details, including names, social security numbers, driver’s licenses, and credit

    card numbers of around 200,000 people. CeX, a second-hand games, DVDs, and hardware retailer, had around two million customers’ details stolen, including names, addresses, email addresses, phone numbers, and encrypted credit card information from as far back as 2009. And the phone numbers, names, and PIN codes of six million Verizon customers were left online for around nine days.

    Gone are the days when hackers were high-spirited teenagers who were just pushing the limits of their knowledge to see how far they could reach inside ‘secure’ systems. Hacking is now big business.

    Lists of names, credit cards details, and passwords are for sale on the dark web to any criminal that wants to make use of them. There’s evidence of state-sponsored cyber-terrorism, where governments are paying the finest cyber brains to find their way into the computers of other governments and international companies.

    And if that weren’t troubling enough, there’s still the threat from your own staff in what can be best categorized as a mixture of ignorance and malice. Insider threats can be more financially damaging and more difficult to defend against. In the 2016 Cyber Security Intelligence Index, IBM found that 60% of all attacks were carried out by insiders, with three quarters involving malicious intent, and one quarter involving inadvertent actors.

    Back in 2015, Proctor & Gamble filed suit against four former Gillette Company employees, accusing them of wrongfully using and disclosing confidential information and trade secrets to a direct competitor. Similarly, an employee of Merit Health Northwest Mississippi was accused of removing patient information from the facility over a two-year period without authorization. This included patient names, addresses, dates of birth, Social Security numbers, health plan information, and clinical information. Those are examples of malicious employees.

  • © Arcati Ltd, 20186

    Arcati Mainframe Yearbook 2018

    Mainframe strategy

    The other problem is human error, which can be a major factor in breaches, where trusted but unwitting insiders are to blame. Sometimes, people trying to help will reveal passwords. Other people may unwittingly have their identities stolen by malware or phishing attacks. Too often, security systems are focused on the external threat and assume that all company employees are trustworthy and savvy enough not to be fooled into revealing security-related information.

    It’s bad enough for a company to lose client data, but it could also lose confidential, business-critical plans for new products that competitors could obtain. And a company could find itself in court for being in contravention of regulations such as FISMA, GLBA, HIPAA, PCI, SOX, and other standards.

    On the plus side, mainframes enjoy an organizational structure and naming conventions that are different from Windows and Linux machines and are less familiar to low-level hackers. This ‘security by obscurity’ doesn’t make it completely safe. These days, mainframes are linking to mobile devices and the Internet of Things (IoT) — and that can provide a way for hackers to gain access to the mainframe.

    At first, web services allowed CICS transactions using SOAP protocols to be exposed to off-mainframe users. These days, RESTful Web applications can be developed, for example, for Liberty in CICS. This brings the mainframe squarely into the world of computing that is familiar to hackers and makes accessing information stored in IMS databases, DB2, or flat files much easier. With CICS TS 5.4, which supports applications written to the Java EE 7 full platform specification, users can run JDBC, JCA, and JCICS in the Liberty JVM server. And Java is very familiar to hackers.

    THE PROBLEMz/OS security relies on the use of an External Security Manager (ESM) such as IBM RACF

    (Resource Access Control Facility) or Computer Associates ACF2 (Access Control Facility 2) and TSS (Top Secret Security). Basically, RACF, ACF2, and TSS maintain mainframe security by either allowing or preventing access by, for example, a user or a program to a resource, such as a dataset. What these products don’t do is provide any form of real-time auditing or monitoring. That is usually carried out by running a batch job overnight or, if required, a special job investigating a specific event, after the event.

    Many organizations and federal agencies make use of Security Information and Event Monitoring (SIEM) products, like HPE ArcSight and IBM QRadar, and security log collection software such as Splunk. A SIEM product works in near real time and can monitor security logs and events by receiving security logs. However, these facilities are not generally available for z/OS. Usually, a batch job runs at regular intervals collecting the data, which is then sent by FTP across the network to the security log collector. This increases the time before a security breach on the mainframe is analyzed.

    Other sites may have SIEM products installed, but don’t use them for their z/OS security logs. Instead, they rely on their z/OS security administrator to run the necessary batch jobs to identify any security-related events or breaches. This is clearly a huge security issue because the z/OS security administrator is best placed to carry out data theft and is then able to cover their tracks. This is a ‘fox guarding the hen house’ scenario. Not only does it violate good security practices, but also federal mandates for separation of duty.Clearly, these examples not only violate any number of regulations, but are also examples of bad practice for continuously monitoring z/OS security.

    Through stealth or through user error, it’s possible for hackers to get inside the mainframe and acquire appropriate privilege settings. Once they have administrator-level capabilities they can then access all sorts of confidential information. They

  • © Arcati Limited, 2018 7

    Arcati Mainframe Yearbook 2007Arcati Mainframe Yearbook 2018

    Mainframe strategy

    could access IMS databases and DB2 databases and send information off site. Because they have acquired admin-level privileges, there’s no way to identify that a data violation has happened until much later when a batch report is run. It’s quite likely that this violation would not be picked up. What’s needed is the ability to monitor the mainframe from outside of the mainframe and to monitor events even where the user has the appropriate authority.

    Many sites feel that the amount of security they need is too costly for them to install at the present time and they hope that everything will carry on the way it always has. What they fail to take into account is that the cost of a security breach is even higher. Like the companies mentioned earlier, they will not only find that losing data has a cost to their company, but also the loss of customer and partner confidence in them has an additional cost. The likelihood of a fine for contravening the regulations that apply to their business makes the availability of comprehensive and cost-effective mainframe security software even more important.

    THE SOLUTIONWhat’s needed is a product that meets all the current needs of an organization in terms of securing the confidential records for their own businesses as well as of the information about their clients. In addition, such a product must have all the qualities that are required to counter today’s security threats. It must work efficiently with existing z/OS security and make use of SMF (System Management Facility) and console messages. The product must be capable of tracking audited events and insider threats, delivering mainframe alerts in real time, and easily integrating with existing security monitors.

    How can you choose from the z/OS security monitoring products available? What criteria should you use when evaluating such a product for your organization? You want it to:• Offer scalability• Be easy to use

    • Provide real-time 24/7 access to resources and event monitoring

    • Eliminate unwanted events by employing customer-defined filters

    • Promote true audit independence and analysis, with decimal data presented in a clear-text format so it may be interpreted by non-technical people within the IT organization

    • Facilitate security spot checks at any time outside of the standard quarterly security audit

    • Be easy to configure and install• Have a small footprint in terms of mainframe

    processing with the minimum performance impact on mainframe systems

    Software Diversified Services (SDS) markets VitalSigns SIEM Agent™ for z/OS (VSA), which forwards z/OS system console and SMF messages in the proper format, as well as those from RACF, ACF2, Top Secret, DB2, CICS, and FTP, to a central SIEM system such as HPE ArcSight, IBM QRadar, Splunk, LogRhythm, McAfee Enterprise Security Manager, Dell RSA Security Analytics, Dell SecureWorks, and others. It will gather intelligence from all z/OS systems and LPARs in the network. Mainframe data is then consolidated with security intelligence from other systems in the enterprise, such as UNIX, Windows, and Cisco, for total visibility into the z/OS environment, as well as distributed and open-systems environments. Enterprise-wide monitoring of security events is critical, not only for tracking malicious activity, but also to meet stringent compliance requirements. Once the data is in the SIEM, it can then be indexed, searched, analyzed, and visualized across the spectrum. That means organizations no longer need multiple security teams to guard their enterprise’s multiple platforms.

    Administrators can define specific items of interest for extra levels of monitoring: for example, files that contain credit information, or health care details. VSA uses both signature and anomaly-based attack detection. It provides real-time alerts that can be managed, filtered, routed, and searched using the SIEM’s GUI interface. And it comes with

  • © Arcati Ltd, 20188

    Arcati Mainframe Yearbook 2018

    Mainframe strategy

    http://www.sdsusa.com/security-software/mainframe-siem

  • © Arcati Limited, 2018 9

    Arcati Mainframe Yearbook 2007Arcati Mainframe Yearbook 2018

    Mainframe strategy

    APIs that allow TSO, CICS, and batch events to be defined and filtered.

    This brings your z/OS mainframes into the center of your enterprise security infrastructure without hassle and in real time. With VSA, your organization’s security team has a central, end-to-end view of all the events they need to capture and all the security threats they need to recognize.VitalSigns SIEM Agent can:• Detect malicious activity, including an insider’s

    actions that have been authorized by existing security settings

    • Protect against insider threats unlike any other commercial mainframe software available

    • Identify internal patterns of abuse • Meet government security requirements

    and mandates for continuous monitoring of computer systems, separation of duties, and file integrity monitoring

    • Work in tandem with all other client, server, and firewall security monitoring products already deployed to provide complete real-time, enterprise-wide threat management

    • Save hundreds of hours searching through batch reports when investigating a security breach.

    CONCLUSIONVitalSigns SIEM Agent for z/OS gathers detailed information about security events on the mainframe. The SIEM interprets the data, normalizes it in standard TCP/IP syslog format, then delivers it in real time to the people and systems responsible for enterprise security.

    Proactive companies that have a track record of monitoring security logs from outside the box are best placed to be compliant with new regulations and have a solid framework to manage z/OS data and its associated risks. VitalSigns SIEM Agent from SDS can help you stay compliant with regulations, recognize security threats, and track and uncover policy violations in real time.

    REFERENCESAn Introduction to z/OS Real-time Infrastructure and Security Practices by Stephen D. Rubin, William Buriak, Jerry Harding.

    About SDSSDS provides enterprise software for multiple platforms, with a 30-year history of delivering award-winning support and customer-centric IT infrastructure solutions. www.sdsusa.com.

    A White Paper entitled The Business Value of the Connected Mainframe for Digital Transformation, was sponsored by IBM and CA Technologies, and concluded that mainframe computing is at a crossroads – it will either continue supporting enterprise operations or it can play an increasingly important role in enterprise digital transformations (DX). The modernized, “connected mainframe” integrates into an organization’s ecosystem – internally and externally – delivering innovations that drive revenue growth and improve operational efficiency – that’s what the White Paper says. The White Paper explains that: “Modernizing on the mainframe” is about “creating a platform that is integration-ready within the data center and with the outside world”.

    To be successful, the mainframe must be connected to the rest of the data centre infrastructure and IT processes and the outside world. There’s a need to expose services and capabilities on the mainframe to mobile apps. Many sites were making use of internal and external APIs on the mainframe. Other popular things to do were to use DevOps and Agile development on the mainframe. And many sites were starting to utilize hybrid cloud strategies. to move forward successfully into the future.

    http://www.sdsusa.com

  • © Arcati Ltd, 201810

    Arcati Mainframe Yearbook 2018

    Mainframe strategy

    How to Ditch Waterfall for DevOps on the MainframeThe Story of Compuware’s Waterfall-to-Agile Transformation People in business talk a lot about transformation. But most companies have only a vague understanding of what a successful transformation is, let alone how to accomplish one before nimble, digital disruptors swoop in to steal customers.

    Defining what to do and how to do it is especially hard for companies that rely heavily on the mainframe—a historically siloed platform encumbered by slow process and outdated, esoteric tools. Regardless, as the system of record for your customer-facing web and mobile apps, it’s imperative to find a waterfall-to-Agile transformation path that brings your mainframe out of the dark corners of the data center and into your broader Agile/DevOps environment.

    We accomplished this at Compuware, and today we’re a modern Agile/DevOps software development organization delivering new

    products and feature functionality to customers every 90 days. Here is our story. Use it as guidance to plan, execute and accomplish your own waterfall-to-Agile transformation.

    Recognizing the Problem: 40 Years of Waterfall DevelopmentIn 2014, we had an opportunity to transform Compuware. Revitalized by new owners and management, the company set out to solve a major problem: it was a stagnant organization plagued with 40 years of waterfall development. Maintaining the status quo of a 12-to-18-month software development and delivery cadence prevented us from providing customers with innovative software to meet their shifting needs. We recognized three realities that would help us change:

    1. Fast Beats Slow In the modern digital economy, big doesn’t

    beat small anymore; fast beats slow. At the time, our business methodology prevented us from outpacing competition and becoming a mainframe leader. We needed to accelerate.

    2. Ideation and Innovation Are Key to SuccessCompetitive, relevant companies create new

  • © Arcati Limited, 2018 11

    Arcati Mainframe Yearbook 2007Arcati Mainframe Yearbook 2018

    Mainframe strategy

    things that delight customers. They do this by establishing cultures that support innovation. We needed to shift our culture to one that encouraged Compuware employees to stay engaged and bring forward new ideas that would dramatically alter what we off er customers.

    3. Measure, Maintain and Improve Quality As a company accelerates and begins trying

    new things, generating new ideas, innovating and transforming into a creator, maintaining, measuring and improving quality must become paramount—this was especially true for Compuware as a mainframe software vendor to major corporations around the world.

    Defining the Desired State and How to Get ThereOnce we recognized our problem, we needed to define our desired state and determine how to get there. To become more competitive, a thought leader and an innovative mainframe company, we set a goal of delivering new products and feature functionality to our customers every 90 days, setting a new industry standard. We determined several things that would help us get there.

    AgilityWe needed to perform agile, frequent, rightsized code changes to fulfill business needs. Not only through Agile Development but also by advancing business agility throughout the entire company.

    ConfidenceWe needed to have confidence that the new products and enhancements we delivered would meet the needs of our customers. Part of attaining that confidence would come from improving quality through automation and agile testing practices, but also through substantial collaboration with and regular feedback from customers.

    EfficiencyWe needed to be efficient with our t ime and maximize skills by recognizing cross-organizationally who could help deliver what in the best way. Improving overall efficiency would help us meet the demands of customers more rapidly.

    Ease of UseWe needed intuitive, uncomplicated, modern tools that made information understandable and accessible in one place so our faster, more efficient processes could flow continuously with ease. This would improve overall developer productivity and enable less-experienced developers to efficiently and effectively make updates and enhancements to Compuware products. IntegrationsWe needed to forge integrations with other tools to create and thrive in a modern cross-platform DevOps environment. While our development focus is solely on mainframe software, we recognized the importance of integrating with non-mainframe systems to help customers support hybrid applications that interact with both systems of engagement and systems of record.

    See Figure 1.

  • © Arcati Ltd, 201812

    Arcati Mainframe Yearbook 2018

    Mainframe strategy

    Using the Right Tools to Make It HappenUltimately, integrating with and using the “right” Agile/DevOps tools made our transformation possible. When our software toolchain became easy to use, we gained the confidence to implement an absolute DevOps culture across our development organization. Topaz is the foundation of our mainframe development and testing toolset, and integrations with both mainframe and non-mainframe partners have enabled the sharing of results and use of common tools across systems. This is what forms our DevOps toolchain—and the mainframe is an integral part of that. See Figure 2. Here are the Compuware mainframe DevOps tools as well as a few vital product integrations we leverage to move code through the software development lifecycle.

    Cultivating IdeasCompuware uses Atlassian Confluence and Jira to generate, organize and collaborate on ideas using Agile Development methodologies like Scrum or Kanban. This enables us to deliver what is needed and maintain what we’re currently providing to existing customers.

    Development ProcessWhen an idea enters Jira, we enter the development process, which entails a standard code creation and updating phase. These are the tools we use:

    • Code Editing and Application Understanding All development is accomplished within

    Compuware Topaz Workbench, our Eclipse-based IDE and modern development interface that enables developers to stay in one environment. We also use Compuware Topaz for Program Analysis, which improves

    Figure 1: Integrations

  • © Arcati Limited, 2018 13

    Arcati Mainframe Yearbook 2007Arcati Mainframe Yearbook 2018

    Mainframe strategy

    program understanding by generating visual representations of applications.

    • Validating and Debugging Code While moving through the software development

    lifecycle, Compuware uses SonarSource SonarLint’s integration with Topaz Workbench during continuous testing to ensure we’re following coding standards and maintaining code quality. We use Compuware Xpediter for debugging within Topaz.

    • Editing and Managing Data We use Compuware File-AID’s integration

    with Topaz to create test data and obfuscate production data, allowing us to have a solid set of test data to work with in developing and delivering our products and software.

    Version ControlCompuware ISPW is used for our mainframe source code management (SCM). By using ISPW, we have the advantage of a modern mainframe SCM that is built for DevOps practices and can integrate with our other DevOps tools. ISPW allows us to easily manage the concurrent development for multiple releases and provides powerful and flexible mainframe resident source change management, compilation/build processes and deployment across multiple LPARs.

    Continuous Integration and Code QualityWe use Jenkins for Continuous Integration, including kicking off automated testing through integrations with ISPW as well as orchestrating other automations and integrations across the enterprise. Code Coverage capabilities within

    Figure 2: Using the right tools

  • © Arcati Ltd, 201814

    Arcati Mainframe Yearbook 2018

    Mainframe strategy

    http://www.compuware.comhttp://twitter.com/compuwarehttp://linkedin.com/company/compuware

  • © Arcati Limited, 2018 15

    Arcati Mainframe Yearbook 2007Arcati Mainframe Yearbook 2018

    Mainframe strategy

    Xpediter enable us to capture code execution statistics for quick assessments of test-related risk and documentation of testing.

    Test AutomationTest automation is key to maintaining code quality and delivering new updates with confidence. We use Compuware Topaz for Total Test to automatically create and execute unit tests; Compuware Hiperstation for automated functional tests; and Compuware Strobe to ensure application performance isn’t negatively impacted. All of these products integrate through Topaz. We also use Zephyr, a Jira plugin that allows us to post test results to Jira, automatically update Jiras and track how well automated test suites are running. DeployOnce testing is complete and quality is improved, we use Compuware ISPW Deploy to deploy mainframe software. Its REST APIs allow integrations with distributed tools, enabling the deployment of mainframe and non-mainframe software together.

    ProductionOnce the application reaches production, we monitor the application using Strobe for performance and Compuware Abend-AID to detect faults and errors that occur. We use Compuware Application Audit for real-time auditing to ensure the security and integrity of the system. Using integrations with Jira, Abend-AID and Strobe, issues can be opened within Jira when an issue is found in production. Following Agile processes, the Jira is opened, prioritized on a backlog and assigned to the appropriate team to move forward.

    The Desired StateAfter implementing Agile Development and our DevOps toolchain over the last few years, our speed, innovation and quality have improved. Through automating deployment, we’ve been able to deploy software much more rapidly to carry out Continuous Integration and Continuous Delivery. This hasn’t been measured by lines of code

    delivered or written but by the actual deliverables that go to market. Customer-reported product defects have decreased year over year. As we increased test automation and fully integrated it into our SCM and development process, we increased software quality.

    Going through our transformation, we also discovered there are 10 fundamentals to achieving Agile Development on the mainframe. We created a flexible step-by-step process available now as an eBook, “10 Steps to True Mainframe Agility.”

    Through these steps and the process discussed in this paper, Compuware has “mainstreamed the mainframe” and enabled DevOps across our entire enterprise. Use our story as your guide and remember that it’s possible for your mainframe team to accomplish a waterfall-to-Agile transformation and gain the agility, confidence and inspiration necessary to develop and deliver innovative products that meet your customers’ rapidly changing needs.

    About CompuwareCompuware empowers the world’s largest companies to excel in the digital economy by fully leveraging their high-value mainframe investments. We do this by delivering highly innovative solutions that uniquely enable IT professionals with mainstream skills to manage mainframe applications, data and platform operations.Learn more at Compuware.com.

    https://resources.compuware.com/ten-steps-to-true-mainframe-agilityhttp://compuware.comhttps://resources.compuware.com/ten-steps-to-true-mainframe-agilityhttp://twitter.com/compuwarehttp://linkedin.com/company/compuwarehttp://compuware.com

  • © Arcati Ltd, 201816

    Arcati Mainframe Yearbook 2018

    Mainframe strategy

    Health Solutions Provider Accelerates Integration, Sparks IT Collaboration Using Server-Side JavaScript Mainframe-Based HB JavaScript Speeds API/Services Creation

    Executive SummaryA leading health care and pharmacy solutions provider uses HB.js – the HostBridge® JavaScript Engine – to rapidly integrate its core business systems with any other systems anywhere. As a result, the company provides modern solutions to employees and customers, streamlines technology-driven business processes, and innovates to better compete in its rapidly evolving industry. HB.js specifically enables the company to develop and deploy RESTful APIs, web services, and microservices to modernize and integrate critical IBM® z Systems® applications, data, and business logic.

    Objectives:• Improve operations and outpace the

    competition by integrating employee-, partner-, and customer-facing systems

    • Maintain proven CICS® applications and DB2® databases as operational systems of record

    • Deploy web services as the best means to modernize and extend the value of mainframe assets

    • Accelerate and simplify web services modernizat ion and integrat ion by transitioning to a RESTful services approach.

    Solution:• HB.js – the HostBridge JavaScript Engine,

    the only server-side JavaScript solution for the IBM mainframe

    Outcomes:• Create and deploy reusable APIs, web

    services, and microservices faster and more easily than ever before

    • Address tactical objectives with reusable APIs and services while building strategically toward a RESTful enterprise architecture

    • Provide integration solutions that improve efficiency, productivity, and economy – and work for business.

    IntroductionA leading provider of healthcare and pharmacy solut ions – including pharmacy benef i t administration and prescription drug claims processing – continues to grow steadily in its fast-paced industry. Keys to its mission are maximizing clinical outcomes for patients while managing operating expenses, which it achieves in part by gathering and sharing information with greater speed and agility.

    The solutions provider is a mature mainframe shop, running its most critical business processes on an IBM z13® mainframe with CICS TS V5.1 applications, DB2 databases, zIIP and zAAP specialty engines, and other mainframe tools. Representing decades of investment, these deliver exceptional processing power and reliability.

    Like every organization that uses information to drive business, the company must continually integrate information systems, whether it has used them for decades or they are just now emerging. Some years ago, the company turned from tightly coupled system-to-system integration to more flexible, loosely coupled SOAP-based web services. The SOAP services were a dramatic improvement, but development cycles

  • © Arcati Limited, 2018 17

    Arcati Mainframe Yearbook 2007Arcati Mainframe Yearbook 2018

    Mainframe strategy

    remained slow, and a widening skills gap between mainframe and web developers threatened to slow development further.

    RESTful APIs and Services with HB.js – the HostBridge JavaScript EngineIn 2014, to address these concerns, the company began adopting a faster, easier, more efficient integration methodology, transitioning most of its services projects from the heavy SOAP methodology to a lighter, more agile RESTful approach.

    To power this new approach, it chose HB.js, the HostBridge JavaScript Engine. HB.js is the only server-side JavaScript for the mainframe, and all HB.js processes and services are eligible to run on the lower-cost System z Integrated Information Processor (zIIP). HB.js suited the provider’s environment in other ways as well. Like the mainframe and many other enterprise platforms, HostBridge uses Eclipse for its development environment and CA Endevor® for deployment processes.

    Along with all related HostBridge components, HB.js is mainframe-based integration software. Running under CICS, it delivers exceptional performance and reliability. HB.js is a JavaScript development and runtime engine for web services/API integration; the HostBridge base product auto-generates XML from CICS applications, providing exact replicas of CICS screens within the HostBridge Eclipse IDE for easier, more intuitive services development.

    The solutions provider chose HB.js specifically for the flexibility of its RESTful, object-oriented approach. With HB.js, customers can easily create a service from any application function or CICS screen. These can readily be aggregated into higher-level services or into effectively new applications. HB.js also provides a unique and powerful way to orchestrate and automate complex CICS micro flows as single web services. And HB.js services are language-agnostic,

    callable from COBOL, Java, C#, Python, PHP, or any other programming language.

    Implementation ExamplesTo date, the company has completed a range of HB.js APIs, services, and microservices, improving integration with partner systems, developing streamlined internal tools for employees, and extending mainframe business logic to distributed platforms to achieve new business objectives. Two brief examples are outlined here.

    RESTful Integration of a Third-Party Tool with DB2 DatabasesLike most providers across the health care solutions industry, the company uses a third-party formulary management tool to manage drugs covered under benefit plans. Entering data into the third-party tool and in-house databases required separate data entry processes. To eliminate duplication of effort and improve productivity and efficiency, the company developed a simple integration of the third-party tool with its claims processing databases.

    Using HB.js, developers wrote and embedded a RESTful API in the formulary tool’s user interface. Now, whenever an employee or claims agent enters data into the tool, the data is automatically sent via JSON (JavaScript Object Notation) to HostBridge. HB.js services then interact with DB2, entering the data into every database relevant to claims processing. This integration was designed, developed, tested, and deployed in three weeks.

    Streamlining Membership Card ReissuesBefore HB.js, whenever the provider’s members needed membership cards reissued, employees started a lengthy, labor-intensive process that was prone to errors. Call center personnel took requests over the phone and then created an Excel spreadsheet listing requests alongside member information. The spreadsheet was sent to another team, which ran an ad-hoc batch process to update a single database parameter with a value indicating the need to reissue cards. Nightly,

  • © Arcati Ltd, 201818

    Arcati Mainframe Yearbook 2018

    Mainframe strategy

    the process would review all records and create cards for those whose records now included the indicator.

    Developers created a simple HTML front end and used HB.js to develop services that enable employees to complete the process in a single step. The web page calls an HB.js service, which then updates the member’s database record and initiates the card creation process.

    Outcomes and BenefitsWith HB.js, the solutions provider now develops APIs and web services – and completes integration projects – far faster and more easily than with any other method, including Java-based SOAP development. The provider’s services strategy has also evolved as development cycles have grown shorter, deployment/migration simpler, and time to market faster.

    Development teams now focus increasingly on microservices – simple, discrete services based on self-contained functions that can be reused and aggregated with other services running on the mainframe or any of its other enterprise platforms.

    Interoperability and Process ImprovementThe single greatest benefit of RESTful services integration using HB.js is that the solutions provider is achieving its IT and business objectives. On the technology side, the provider more readily integrates its mainframe assets with other enterprise systems and with web and mobile applications – even as it builds a flexible, functional services architecture. On the business side, services-based integration implementations deliver improved process efficiency, greater productivity, lower operating costs, and new opportunities for business growth.

    With HB.js, the provider does more with and gains new value from its mainframe, adopts disruptive technologies as they emerge, and meets the changing expectations of employees and customers.

    AgilityLightweight, reusable HB.js services and microservices make the provider more agile from both the technology and business perspectives. At the most basic level, a simple web service might “serve” several backend systems. For example, a mailing address web service based on a DB2 database can instantly deliver address change information to any other application or database running anywhere – in-house, at partner sites, or in the cloud.

    At the highest levels, the RESTful approach effectively enables the creation of entirely new business applications by decoupling services from both source and destination applications. Services from any number of applications and platforms can be aggregated and repurposed to serve the most complex and fastest-changing business functions.

    Continuous Delivery A benefit related to the agility of RESTful services is continuous delivery – changes to any given backend application have almost zero impact on any higher-order business services. Though aggregated services might be comprised of dozens or hundreds of microservices, changes to backend systems are likely to affect only a few microservices, and only those few services require updates. The overall services-based business application and the vast majority of microservices remain unchanged. As such, business applications run without interruption.

    Collaboration Across IT TeamsThanks to HB.js and its JavaScript-based programming, the solutions provider realized another, unexpected benefit. Walls that had existed between development teams broke down, and cross-team collaboration improved. Historically, mainframe and web teams focused on different tasks. After years of disconnection, the groups functioned as if they were in discrete siloes. Bridging the gap was a challenge.

  • © Arcati Limited, 2018 19

    Arcati Mainframe Yearbook 2007Arcati Mainframe Yearbook 2018

    Mainframe strategy

    Build a bridge... from z to anywhere

    HB.js, the JavaScript engine, delivers powerful, flexible Web services modernization for Z Systems™ applications and data.

    Orchestrate complex transactions, programs, and data into composite services. Create dynamic new apps that tap the mainframe’s power and reliability. Modernize on technology that drives mobile and cloud innovation.

    HB.js – easy to learn, fast to deploy, universally interoperable.

    Faster, Simpler Web Services for CICS & IBM Z Systems™HB.js – The HostBridge Java Script Engine

    Investigate: HostBridge.com | Free Pilot Inquiry: +1.405.533.2900

    See just how easy it is: try HB.js in your environment.

    Contact us to set up a trial.

    http://www.hostbridge.com

  • © Arcati Ltd, 201820

    Arcati Mainframe Yearbook 2018

    Mainframe strategy

    HostBridge JavaScript changed this dynamic. Web teams already knew JavaScript, but now they could readily observe how HB.js interacted with CICS applications and other z Systems assets, leading to a better understanding of and appreciation for the mainframe. COBOL programmers knew what the mainframe was doing, so they quickly grasped how JavaScript could extend mainframe functionality. Soon they were learning JavaScript, finding it easy to understand and use, and enjoying the opportunity to gain a new skill and join the large and growing JavaScript community.

    The FutureThe solutions provider continues to expand its use of HB.js to make improvements where it matters most – in day-to-day operations, employee productivity, customer service, and the bottom line. And as APIs, services, and microservices have come online and proven their value, the company has accelerated its implementations.

    A clear sign of the success of the RESTful approach with HB.js is the rapid growth of web services used by the company. From 2014 to

    2016, the number of web services processed per year increased by more than 90 percent and now exceeds 1 billion.

    As it repeatedly realizes the core benefits of HB.js – ease of use, renewed collaboration, services agility, faster time-to-market, and broader, more flexible integration – the company will continue shifting more of its integration workload to HostBridge and the HostBridge JavaScript Engine.

    Footnote1 Alternatively, HostBridge can run inside z/OS but outside of CICS. In this configuration, all HostBridge processes and services are eligible to run on the zIIP. For more information, see “zIIP-Enabling CICS Integration Workloads: HostBridge for zIIP” at http://hostbridge.com/index.php/library/zIIP-enabling-CICS-integration-workloads.

    About HostbridgeF i n d o u t m o r e a b o u t H o s t b r i d g e a t http://www.hostbridge.com.

    IBM has announced that it will deploy Docker Enterprise Edition across all its Linux-based systems. This will enable IBM to deliver on its goal of moving the app to the data rather than the data to the app. So, what is Docker? Docker is a software container platform. Everything you need to make the software work is packaged into this container. It includes libraries and settings to run on any platform. This way, you get an efficient, lightweight, self-contained system, plus the assurance that the software will always run the same, no matter where it’s deployed. Container architecture introduces a change to how the code behaves with hardware, in effect, it abstracts the application from the infrastructure.

    Developers can use Docker to collaborate on the development of software while potentially working on completely different hardware. According to the Docker Web site, operators use Docker to run and manage apps side-by-side in isolated containers to get better compute density. Enterprises use Docker to build agile software delivery pipelines to ship new features faster, more securely, and with confidence for both Linux and Windows Server apps.

    Docker runs on Ubuntu, Debian, Red Hat Enterprise Linux, CentOS, Fedora, Oracle Linux, SUSE Linux Enterprise Server, Microsoft Windows Server 2016, Microsoft Windows 10, macOS, Microsoft Azure, and Amazon Web Services.

    http://hostbridge.com/index.php/library/zIIP-enabling-CICS-integration-workloadshttp://hostbridge.com/index.php/library/zIIP-enabling-CICS-integration-workloadshttp://www.hostbridge.com

  • © Arcati Limited, 2018 21

    Arcati Mainframe Yearbook 2007Arcati Mainframe Yearbook 2018

    Mainframe strategy

    z/OS Code Scanning Is Essential to System z® SecuritySecurity analysts often state that, in order to effectively safeguard the vast data volumes stored on a mainframe, an organization must establish configuration-based security controls and then continuously monitor these controls to determine effectiveness and compliance to standards. Establishing a baseline of the security configuration and then automatically monitoring and alerting on that status for “drifting” is considered a best practice in order to minimize the risk of exposure.

    Vendors translate this best practice into security software and services that focus on securing the enterprise through application code penetration testing for known vulnerabilities and security configuration monitoring against compliance standards such as the DoD STIGs. For example, as shown below, IBM Security’s zSecure suite provides products that audit configurations for standards compliance and reports on anomalies

    to their QRadar® SIEM. They also provide ESM administrative support. Yet, it only takes one zero-day code-based vulnerability in the OS layer to afford a hacker with the ability to bypass everything that is considered essential and best practice in securing the applications and the source data associated with those applications. These vulnerabilities, when exploited, allow the exploiter full access to any data and any application residing on that system. Note that External Security Managers (RACF®, CA ACF2™, and CA Top Secret™) are not part of the solution; nor are any Application Security Testing tools or Run-time Application Self Protection (RASP) tools. No current ESM or Application Security Testing Tool can identify these vulnerabilities, notify you when they are exploited, nor remediate the vulnerabilities. Ensuring system integrity is outside the scope of the current External Security Managers. The ESM’s are not designed to enforce a security policy when a hacker (external or internal) uses an OS layer vulnerability to circumvent z/OS system integrity by altering his security authority in memory, and gains unauthorized access to the system.

    IBM’s Statement of IntegritySecurity professionals understand how to mitigate the risks caused by configuration-based vulnerabilities. They have robust tools to monitor network traffic, scan applications, and monitor security configurations for documented vulnerabilities. Unfortunately, these tools are incapable of detecting zero day code-based vulnerabilities at the OS layer, and in practice OS layer vulnerability assessments uncover serious exposures unrelated to “drifting” configurations and excessive access. How is this possible when integrity and security are so integral to System z that the operating system will not start unless an ESM has been specified in the system configuration?

  • © Arcati Ltd, 201822

    Arcati Mainframe Yearbook 2018

    Mainframe strategy

    Traditionally, the mainframe has depended upon the IBM Statement of Integrity as the cornerstone for the security of the mainframe. In 1973, IBM announced its Statement of Integrity for its new Operating System, OS/VS2. OS/VS2 was the predecessor to MVS and z/OS. In its current form, the IBM Statement of Integrity states:

    “IBM’s commitment includes design and development practices intended to prevent unauthor ized appl icat ion programs, subsystems, and users from bypassing z/OS security – that is, to prevent them from gaining access, circumventing, disabling, altering, or obtaining control of key z/OS system processes and resources unless allowed by the installation. Specifically, z/OS “System Integrity” is defined as the inability of any program not authorized by a mechanism under the installation’s control to circumvent or disable store or fetch protection, access a resource protected by the z/OS Security Server (RACF®), or obtain control in an authorized state; that is, in supervisor state, with a protection key less than eight (8), or Authorized Program Facility (APF) authorized. In the event that an IBM System Integrity problem is reported, IBM will always take action to resolve it. “

    It is important to note in the first statement that IBM does not state that z/OS will have no system integrity problems, but rather that if one is reported, they will always take action to resolve it. And, the second reference clearly states that it is the installation’s responsibility that any authorized code they add (and this would include products from Independent Software Vendors and any installation developed code) also conforms to the same high level of standards that z/OS uses to maintain its integrity.

    According to IBM’s z/OS Authorized Assembler Services Guide you are responsible for the following for each z/OS system you have to ensure that system integrity is effective and to avoid compromising any of the integrity controls

    provided in the system, the installation must assume responsibility for the following:• Physical environment of the computing system.• Adoption of certain procedures (for example,

    the password protection of appropriate system data sets) that are a necessary complement to the integrity support within the operating system itself.

    • That its own modifications and additions (3rd Party Software) to the system do not introduce any integrity exposures. That is, all installation-supplied authorized code (for example, an installation SVC) must perform the same or an equivalent type of validity checking and control that the system uses to maintain its integrity.

    Code-based VulnerabilitiesCode-based vulnerabilities are caused by poor design and coding errors in programs that reside in the mainframe’s OS layer (PC routines; SVC’s). They do not follow the rules laid down by the IBM Statement of Integrity. Most z/OS systems have tens of thousands of authorized programs, including software from internal teams and independent software vendors. Operating system code, Independent Software Vendor (“ISV”) supplied products, and installation-added authorized programs and interfaces are part of the operating system layer and can contain these security vulnerabilities.

    In most cases these vulnerabilities must be remediated by the code owner. The code owners are, in the case of z/OS, IBM, and in the case of third-party add-on products, either IBM or an ISV, or – in the case of internally developed code – the Company.

    One of the strengths of z/OS is that programs can be developed anywhere in the world and (for the most part, given similar supporting software) will run unchanged on any other system in the world. In the case of OS-level code vulnerabilities, this is a danger because it means that vulnerabilities can be researched and developed anywhere and the exploits can be “imported” into any company’s

  • © Arcati Limited, 2018 23

    Arcati Mainframe Yearbook 2007Arcati Mainframe Yearbook 2018

    Mainframe strategy

    internal environment. Therefore, it is not a viable risk assumption that very few individuals with access to the company’s systems would have the expertise to carry out an attack. There is a large distinction between developing an exploit and being able to implement it. In fact, the majority of security code vulnerabilities can be exploited using a CLIST or REXX Exec.

    The balance between defenses and exposures isn’t static or even predictable; it’s impossible to monitor and comprehend consequences of vendor development and maintenance streams. In the same way that PCs and servers need constant monitoring so do mainframes.

    OS Layer Vulnerabilities Within the application and operating system layers of z/OS are programs and memory. When memory is allocated to a program by the operating system a storage key is assigned to it. This storage key dictates whether the storage belongs in the application layer (storage key 8) or the OS layer (storage keys 0-7). In the application layer, application programs have the ability to modify application memory. Application layer programs are normally run within the application layer PSW Key 8 problem state. The PSW key allows these programs to alter any private area storage key 8 memory (APPLICATION DATA) in their address space. This is known as a non-reentrant application program state and the data is loaded into storage key 8 memory and can be modified directly by application layer programs.

    Reentrant (RENT) programs are loaded into the OS layer memory and cannot be directly updated by an application program. However, if an application layer program is given READ authority by the ESM to the program libraries it can copy them to another library, modify the programs stored in that library, then load and execute the modified copy.

    Application programs CANNOT directly modify OS layer programs or memory. Typically, ESM

    programs and credentials are located in the OS layer. A common exploitable vulnerability within application security interfaces is caused by the failure to place application security programs and credentials in the OS layer.

    Note that security credentials for all current ESMs (RACF, ACF2, and Top Secret) should be in the OS layer. This denies application programs the ability to directly update security credentials associated with the authorization and authentication of resources associated with the application. An OS layer program must be used for an exploiter to modify security credentials. Scanning application code for vulnerabilities will NEVER find severe security vulnerabilities that allow OS layer programs or memory to be modified. While there are benefits to scanning application layer programs for vulnerabilities, finding severe security code vulnerabilities is not one of them.

    In the case of a storage alteration vulnerability, an authorized program allows a non-authorized user the ability to modify operating system memory locations. These locations would include where the ESM, i.e. RACF®, keep their security credentials. Storage alteration vulnerabilities occur when a non-authorized user can invoke an authorized function (e.g., a SVC or PC routine) that will modify operating system memory. A non-authorized user will usually be able to control which addresses are modified by the authorized function.

    To exploit a storage alteration vulnerability a non-authorized user would invoke the authorized program passing an address to be modified (e.g., the z/OS or ESM security credentials). The authorized program would update the address specified by the non-authorized caller, while executing in an authorized PSW Key. The exploit of this vulnerability could be written as a script (CLIST or REXX) or an assembler program. Using a storage alteration vulnerability the exploiter could:

  • © Arcati Ltd, 201824

    Arcati Mainframe Yearbook 2018

    Mainframe strategy

    • Change exploiters authority – Elevate z/OS authority to allow MODESET

    or bypass password authority– Elevate ESM authority to allow access to

    protected resources– Change ESM credentials to impersonate

    other users• Make changes to the operating system

    – Disable or bypass ESM security checks– Disable z/OS logging (SMF)– Allow the capture of Userids and password

    or other sensitive data– Modify network configuration to allow

    sensitive data to be sent out into the network– Allow signon/logon without the proper

    credentials

    Comprehensive Risk ManagementToday, System z supports z/OS integrity with controls that include separation of functions, 2 factor authentication, logging of privileged access, standards based defaults for system configurations, the ability to classify data, and encryption of sensitive data.

    The focus has always been to protect data using the ESM’s Access and Authentication security strategies. Unfortunately, protecting the volume of data coming from the numerous sources available today makes this traditional methodology impractical, and hackers have sophisticated means to bypass these traditional strategies to exploit exposures. A comprehensive security compliance program should always include analysis for configuration-based and code-based vulnerabilities. Mainframes need constant evaluation for exposures created not only by configuration changes, but also vendor software releases and patches. Failure to do both leaves your mainframe system at risk.

    Establishing and monitoring policy driven security settings is fundamental to a robust risk management strategy. Additionally, code-based vulnerability

    scanning can test for zero-day vulnerabilities in the operating system layer caused by poor coding techniques. This is known as Operating System Integrity Testing™ (OSIT). Code reviews, isolated and manual, are not only impractical and costly, but inaccurate. Dynamic review of code during testing or run-time goes further, but cannot point to the line of code where the vulnerability originated.

    The recommended approach is a persistent, interactive approach to identifying z/OS and application code vulnerabilities. Interactive application and OS layer code vulnerability scanning, with dynamic testing to determine the location of the vulnerability in the code, is necessary to ensure that both data and systems are protected. To successfully manage the z/OS security code vulnerability problem requires an Operating System Integrity Testing™ (OSIT) approach using an interactive and persistent testing methodology, along with monitoring of critical z/OS and ESM functions. The outcome for you is a mainframe that both maintains its system integrity and delivers effective security that in the end provides the least risk of exposure to breaches

    In ConclusionRemember, ensuring system integrity is outside

    Deep Intelligence Provides Greater Security

  • © Arcati Limited, 2018 25

    Arcati Mainframe Yearbook 2007Arcati Mainframe Yearbook 2018

    Mainframe strategy

    It's All About Integrity

    Initial scan to baseline the systems Review the Vulnerability Detail Reports for each code

    vulnerability Provide VDR’s to vendors Apply vulnerability patches obtained from vendors Rescan to verify the code vulnerability has been addressed Scan every time maintenance is applied

    Visit www.krisecurity.com to learn more

    STOP ADVANCED THREATSThe z/Assure® Vulnerability Analysis Program (VAP) is available to quickly and efficiently identify zero day mainframe vulnerabilities and protect your organization from denial of service (DDOS) attacks and much more.

    http://www.krisecurity.com

  • © Arcati Ltd, 201826

    Arcati Mainframe Yearbook 2018

    Mainframe strategy

    the scope of the External Security Managers. The ESM’s were not designed to enforce your security policy when an OS-layer code vulnerability is exploited, and bypasses the ESM security controls allowing unauthorized and undocumented access to data.

    System integrity is a critical component of z/OS. Regardless of which ESM you have, they all depend upon system integrity in order to function properly. Your z/OS system is vulnerable with a single system integrity exposure. Without Operating System Integrity there can be no System Security.

    Where does all this lead? It surely does not undermine the mainframe’s well-deserved reputation for integrity; no other platform rivals what its integrated architecture, development and maintenance philosophies, and fundamental reliability mindset provides.

    It does, however, recall the sage advice: “Trust but verify”. Mainframes remain the ideal platform for supporting business processes and especially for building future successes (mobile, cloud, payment), but their use must include appropriate verification that the system’s architectural foundation -- z/OS -- provides no “basement kitchen window” exposures.

    About the author Ray Overby is the President and CTO at Key Resources, Inc. a mainframe software and security services firm founded in 1988. Ray is a recognized authority in mainframe security, risk and compliance for IBM zSystem environments. For the past 12 years, he has been providing security consulting services to Fortune 500 institutions focusing on comprehensive z/OS vulnerability assessments.

    A hackathon is a way to bring together like-minded people, divide them up into teams, and develop customer-focused ideas very quickly. The important things for a hackathon are: creativity and innovation; adopting a start-up mentality, rapid prototyping and producing a Minimum Viable Product (MVP); and including your mainframe. Teams will combine internal APIs with externally-available APIs to produce something new and unique using modern programming languages such as node.js and swiftlang.

    But would any self-respecting mainframe-using business indulge in hackathons? The answer is definitely ‘yes’, because they provide a way to circumvent waterfall development methodologies where a new application could be two years away and by then out of date. Citibank runs Citi mobile challenges. These get people to look at different ways people can consume their banking services – it’s a way to get the next big idea from people outside their company. And Ciitbank can then monetize the ideas. Blockchain is great for hackathons because it is digital and secure.

    So what’s needed for a hackathon to be a success? Here are some ideas: positive energy, IT skills, a venue and a date, sponsorship, a code of conduct, mixer sessions, and resources (venue, food, and drink). On the day, you need a keynote speaker, food and drink, and people to develop their ideas. At the end of the hackathon, teams should have produced a viable product that has been tested and can be shown. It can then be further developed and tested and possibly used commercially. A hackathon is definitely an idea that’s worth giving a try.

  • © Arcati Limited, 2018 27

    Arcati Mainframe Yearbook 2007Arcati Mainframe Yearbook 2018

    Mainframe strategy

    DevOps for the mainframeDevOps has moved beyond being the latest, trendy buzzword to mainstream. Today, it receives attention from industry analysts, marketers, bloggers, software developers and, more importantly, IT departments in large and small enterprises. Why? DevOps helps businesses compete by delivering innovations to customers faster and more reliably. Learn how the mainframe can be part of the DevOps conversation.

    What is DevOps and why should I care?Occasionally, I am asked if DevOps is a tool that can be bought. If only it was that easy. DevOps is really about organizational change. It is the practice of Development and IT Operations working together through the entire software lifecycle, from design through the development process to production. This not only requires a change in behavior and culture but the implementation of processes and the use of a new tool-chain to bring it all together.

    The main goal of a DevOps approach is to develop and deploy innovation faster—to meet the needs of your customers or constituents. But speed cannot come at the price of quality. As leading industry analysts’ note: “DevOps emphasizes collaboration, automation and integration of development and operations teams, resulting in more frequent releases at higher quality”.1 CIOs are keen to use DevOps in order to respond to Line of Business (LOB) requirements faster by leveraging agile development. When development is agile, small teams work interactively on tasks in iterative work cycles with focus on delivering value to customers. By taking down the walls of hierarchy, there is transparency between teams ensuring better coordination. Harmonizing the change management and development processes also allows CIOs to better scale development teams.

    Figure 1: The Benefits of DevOps

    1 A CIO’s Guide to DevOps, On-Demand Video - Watch Anytime, Anywhere. Retrieved from https://www.gartner.com/webinar/3165618.

    https://www.gartner.com/webinar/3165618

  • © Arcati Ltd, 201828

    Arcati Mainframe Yearbook 2018

    Mainframe strategy

    Yes, you may say, our Java® teams and new developers are using DevOps but we are the mainframe team so this isn’t relevant to us. I beg to differ. Mainframe teams can play an integral role in the DevOps processes of your organization. Don’t let your CIO overlook your team’s ability to participate.

    Why DevOps is relevant for the Mainframe?A key feature of DevOps is cont inuous deployment—which means tests are automated and immediately deployed to production. Google® and Amazon® do this—they make changes to live apps at a rate of 20,000 deployments per day. It is estimated that “Amazon deploys every 11.6 seconds”.2 They are the pioneers of DevOps and need the speed to meet the dynamic needs of their market place. The speed of change is breathtaking in this environment.

    In the mainframe world, this break-neck speed of change is just not realistic. But this does not preclude mainframe teams from participating in DevOps. While mainframe developers don’t have a culture of implementing changes willy-nilly and certainly don’t throw out changes continuously, they can benefit from many of the principals of DevOps such as repository-based development and Continuous Integration. If mainframe teams can get to a state where they can deploy on a weekly basis using DevOps, this is a big advantage over the waterfall models which take months and lock processes.

    Repository-based development supports parallel developmentAs simple as it sounds, it is a big change in the mindset of mainframe developers to realize that a repository like Git takes lead over the source code. All changes are now committed to this repository and from there, distributed to the corresponding environments. Developers have to pull source code out of the repository, implement and change code on a local workspace, then execute and test in a private and isolated mode on a remote development environment. Using the

    2 Hacker News. Retrieved from https://news.ycombinator.com/item?id=2971521. Lawton, George (2013, Sep 5). How Amazon Made the Leap to a DevOps Culture. Retrieved from: http://servicevirtualization.com/how-amazon-made-the-leap-to-a-devops-culture/.

    Figure 2: DevOps on the Mainframe with NaturalONE

    https://news.ycombinator.com/item?id=2971521https://news.ycombinator.com/item?id=2971521http://servicevirtualization.com/how-amazon-made-the-leap-to-a-devops-culture/http://servicevirtualization.com/how-amazon-made-the-leap-to-a-devops-culture/

  • © Arcati Limited, 2018 29

    Arcati Mainframe Yearbook 2007Arcati Mainframe Yearbook 2018

    Mainframe strategy

    Natural programming language as an example, the single source of truth is now the repository and no longer the FUSER. Development happens in an EclipseTM-based platform like NaturalONE. Private mode supports work performed in parallel by allowing developers to test and execute their implementation in isolation from each other. A source code repository supports “branching” where multiple teams can work on multiple branches of the code then merge the branches upon completion. In your typical mainframe environment today, without DevOps, you have to lock modules and no one else is able to make changes. The waiting for unlock kills efficiency and productivity. By working on a repository in parallel, you are not blocked.

    What happens next if all this code is developed in parallel conflicts with one another? Fortunately, at the end it all gets merged with the help of the merge capabilities of the source code management system. After committing and pushing your changes, Continuous Integration ensures your application can be built with your changes incorporated into the shared development environment.

    Continuous Integration ensures application build is successful“A cornerstone of DevOps is Continuous Integration (CI), a technique designed and named by Grady Booch that continually merges source code updates from all developers on a team into a shared mainline. This continual merging prevents a developer’s local copy of a software project from drifting too far afield as new code is added by others, avoiding catastrophic merge conflicts. In practice, CI involves a centralized server that continually pulls in all new source code changes as developers commit them and builds the software application from scratch, notifying the team of any failures in the process. If a failure is seen, the development team is expected to refocus and fix the build before making any additional code changes. While this may seem disruptive, in practice it focuses the development team on

    a singular stability metric: a working automated build of the software.”3

    Any modification is uploaded and compiled in an isolated private mode. Once a developer has finished the work on a feature, he makes the changes available to others by committing the changes to the repository. Through Continuous Integration, the new changes are transferred from the repository to the central development environment. It ensures our application is built successfully and should run unit-tests to prove all functionality is still given. Continuous Testing is required for DevOps successFaced with increasingly complex applications delivered at dramatically faster speed, software testers have the potential to be the bottleneck that determines if a DevOps initiative fails or succeeds. To implement full DevOps, the testing process must be automated and transformed to happen continuously. This should dramatically reduce the level of effort required for testing. Testing must also be collaborative to ensure quality while reducing the time it takes to deliver new features.

    Fortunately, there are a number of tools available in the market that can help. Like Java developers, mainframe developers using Natural can also establish and automate unit tests using NaturalONE and Continuous Integration tools such as Jenkins®. All modules can be continuously tested to ensure quality and even Natural programs can be fully tested using the newly available Natural screen-based Tester. For Natural mainframe developers, NaturalONE tools like Profiling and Code Coverage for runtime testing complement the testing process. These tools ensure that the performance of the components delivered meets the business requirements and the code coverage of your unit tests is high enough.

    3 Cois, Aaron (2015, Jan 26). Continuous Integration in DevOps. Retrieved from https://insights.sei.cmu.edu/devops/2015/01/continuous-integration-in-devops-1.html.

    https://insights.sei.cmu.edu/devops/2015/01/continuous-integration-in-devops-1.htmlhttps://insights.sei.cmu.edu/devops/2015/01/continuous-integration-in-devops-1.htmlhttps://insights.sei.cmu.edu/devops/2015/01/continuous-integration-in-devops-1.html

  • © Arcati Ltd, 201830

    Arcati Mainframe Yearbook 2018

    Mainframe strategy

    Project and change management must be collaborativeLast but not least, effective project and change management is a key component in setting up DevOps in your organization. It is good practice in DevOps that no development and no change should happen if it is not linked to a proper task in a project or change management tool. So even at the beginning of DevOps, project and change management stands and all activities should support an existing task. Every source code change and every build and deployment should be tracked and, of course, fully automated. This will give you full transparency into the whole development lifecycle of your organization.

    For mainframe developers running mission-critical applications, the stakes are high. You need the right tools to effectively coordinate and govern your systems development lifecycle. Fortunately, if you use an Eclipse-based platform like NaturalONE, there are many open source and third party tools that you can leverage to help manage your project. NaturalONE integrates with all tools with Eclipse plugins like Atlassian Jira® and Redmine, an open source tool.

    Benefits of DevOps for the MainframeFrom the CIO down to the application developer, implementing DevOps means delivering better code, faster and more efficiently. Productivity is improved by automating processes and leveraging Eclipse and repository-based tools for parallel development. Transparency is also greatly improved with a change-management record which contains a history of all changes, version comparison and the ability to roll back to a previous version. With Continuous Integration, test efforts are reduced while quality of deployment is improved.

    One of the most empowering reasons CIOs will want to pursue DevOps is that it will help reduce the risk of business disruption due to the retirement of skilled workers—the generational

    change in workforce. This is particularly true, especially in the case of IT departments that still use Natural on the mainframe. NaturalONE is the recommended development environment for Natural because it is fully integrated with the DevOps tool chain familiar to Java developers who will also appreciate NaturalONE’s familiar Graphical User Interface (GUI) and wizards. Because NaturalONE is Eclipse-based, you can standardize on a single platform across all program languages. You can efficiently cross-train personnel to deploy resources where they’re most needed—and at a moment’s notice. You’ll find it easier to recruit new programmers who will appreciate the collaborative DevOps support of NaturalONE for agile development and Continuous Integration.

    It is also interesting to mention that Natural applications running on a Mainframe can very successfully run on Open Systems platforms as well. In fact, about the half of Natural applications operating worldwide are running on Linux, UNIX or Windows. If your company is thinking about re-hosting its Natural applications, to Linux for example, your implemented DevOps approach can be fully applied the same way in your new Open Systems environment. It can even be a valuable first step when heading in this direction.

    Jump start DevOps for your mainframe with NaturalONEIf you run Natural on a mainframe, I strongly encourage you to give NaturalONE a try. NaturalONE embraces the DevOps approach to development, enabling you to develop new applications and modernize existing Natural applications—faster—to meet changing business requirements and reduce application development costs.

    NaturalONE operates in Linux® or Windows® and, because it is based on Eclipse, easily integrates with multiple Eclipse-based tools. Since

  • © Arcati Limited, 2018 31

    Arcati Mainframe Yearbook 2007Arcati Mainframe Yearbook 2018

    Mainframe strategy

    TACKLE THE SKILLS CHALLENGE

    WITH DEVOPS FORTHE MAINFRAME

    Modernize your mainframe application development tools and processes for DevOps to increase responsiveness to business, improve development quality and attract new talent. With Eclipse™-based NaturalONE, you can easily recruit new programmers who will appreciate its collaborative DevOps support for agile development and continuous integration.

    Try NaturalONE for free, download at www.SoftwareAG.com/NaturalONE.

    Software AG is leading the way for the next generation to innovateand harness the potential of Digital Transformation withits Adabas & Natural 2050+ Agenda.

    Learn how at 2050.softwareag.com.

    http://www.softwareag.com/naturalonehttp://2050.softwareag.com

  • © Arcati Ltd, 201832

    Arcati Mainframe Yearbook 2018

    Mainframe strategy

    work can be executed from one platform without having to open accompanying applications on their base platform, developers of Natural as well as Java or COBOL can efficiently collaborate and work on multiple platforms using a range of developer productivity tools from a single user interface. NaturalONE is well-suited for developing applications to run natively on the mainframe, Linux, UNIX® and Windows (LUW).

    NaturalONE can accelerate delivery of new applications with automatic, interactive testing and debugging tools. Open source versioning tools allow for team development where developers can write, test and execute programs independently while sharing the source code of the project in a team repository. Like Java developers, you can establish and automate unit tests using open source tools such as Jenkins. NaturalONE tools, like profiling for runtime testing, complement the testing process and ensure that the performance of the components delivered meet the business requirements.

    From NaturalONE, you can use Construct, EntireX, Predict and many other tools by remotely connecting to your mainframe or LUW environment. For example, conduct Predict data dictionary maintenance and browse data using the integrated data browser for Natural Data Definition Modules.

    Bring your mainframe into the DevOps conversation by leveraging NaturalONE. This Eclipse-based Integrated Development Environment (IDE) lets developers code, test and maintain applications, expose Natural objects as services, create Rich Internet Applications (RIAs) and web interfaces, and manage the complete DevOps lifecycle from one environment so you can modernize and deploy new applications more quickly with better quality to immediately satisfy your customers.

    About the authorZvonimir Ivanetic is a Senior Adabas & Natural Customer Success Architect at Software AG. He has been with Software AG for more than 10 years, working as a consultant on the integration and modernization of Adabas & Natural applications and the development of distributed, scalable web applications. With the introduction of the Adabas & Natural 2050+ Agenda, Zvonimir joined the global core team as an Architect, supporting all customers in transforming to a digital architecture, optimizing their infrastructure and bringing innovation to their valuable Adabas & Natural applications.About Adabas & Natural 2050+

    Countless organizations rely on the Adabas & Natural platform for their mission- and business-critical applications. With “Adabas & Natural 2050+ Agenda”, Software AG is fully supporting customers in harnessing the innovation potential provided by digitalization. From skills to connectivity, to DevOps development and cost efficient platforms, Software AG is leading the way for the next generation.Learn more at http://2050.softwareag.com

    About Software AGSoftware AG (Frankfurt TecDAX: SOW) helps companies with their digital transformation. With Software AG’s Digital Business Platform, companies can better interact with their customers and bring them on new ‘digital’ journeys, promote unique value propositions, and create new business opportunities. In the Internet of Things (IoT) market, Software AG enables enterprises to

    http://2050.softwareag.comhttp://www.softwareag.com/naturalone%0D

  • © Arcati Limited, 2018 33

    Arcati Mainframe Yearbook 2007Arcati