Hector Martin

I am a person who specializes in cloud native infrastructure, not a COBOL programmer, but if you're like "lol why don't banks and governments migrate to modern systems?!" I have some news for you about the security of bleeding edge systems

What makes you think the COBOL systems are secure?

Oh, I am not saying that I'm saying that ancient turtles or new turtles, it's turtles all the way down

And yet that's not a good argument for spending millions on supporting those barely functional systems.

Some of them were stringently tested by the government in the 80s. There used to be standards for computer security designed by military. That kind of standardization and testing just doesn't tend to happen anymore except for a very few niche companies.

Modern computer programming is too much of a moving target. And, in the name of speed, we sacrifice a lot of security-first principles. https://en.m.wikipedia.org/wiki/Meltdown_(security_vulnerability) … for example. Compare to AS/400 architecture, where CPU are designed less efficiently in order to be secure.

AS/400 isn't a CPU architecture though, it uses machine independent bytecode (like Java, Android dex, LLVM IR in iOS apps, and other similar modern versions). The actual CPUs used by AS/400 have been POWER for a while and certainly are vulnerable to Spectre subsets.

By the way, z/OS and friends are lacking many modern security mitigations. I wrote a CTF for z/OS USS that was a trivial stack overflow, which would've instantly been caught by stack cookies on any modern system, and made harder to exploit by ASLR.