Open Mainframe Project Security Concerns
I was chatting with a mainframer buddy the other day, and he expressed some concerns about the overall code security of the Open Mainframe Project (OMP), particularly around member vetting. So, I spent a bit of time digging into the OMP.
I love the OMP mission. It was launched back in 2015 to be the center of gravity for open-source and Linux in the mainframe world. And it has been wildly successful in achieving its goal: bridging the skills gap and proving that the mainframe is a modern, critical platform.
But the deeper I looked, the more I realized something deeply troubling: the OMP’s security posture is dangerously misaligned with the high-assurance, high-stakes world it operates in.
The entire OMP philosophy is built on an “open tent” and a 2015-era model of human trust. Its success in building a community is also its most significant liability. Its trust model is rooted in human reputation and corporate relationships, not technical proof. And that’s a model that has been catastrophically exploited in attacks like the XZ Utils backdoor.
I’ve done a deep analysis of the project’s structure, governance, and technical pipeline. What I found isn’t pretty.
Summary of Findings
The “Human Pipeline” is a Vulnerability
The OMP’s LFX Mentorship Program is its single greatest vulnerability. It’s a formalized, high-trust “golden ticket” that grants unvetted individuals direct access to core projects and mentors from IBM, Broadcom, and SUSE. It’s a ready-made vector for a “mentee-to-malware” social engineering attack.
Security is Dangerously Inconsistent
The OMP is a “neutral home” for a collection of self-governed projects. This “every-project-for-itself” model means security is all over the map. The Galasa project has a robust, preventive check to block unknown code. The flagship Zowe project doesn’t; it instead relies on reactive scans after code is already in the pipeline.
It’s a “Black Box” Pipeline
The OMP’s security practices are dated. They tout things like SBOMs and the CII Best Practices Badge. That’s great, but the XZ attacker also had a CII badge. It’s security theater. I found limited evidence of modern, cryptographic attestation. There’s no broad Sigstore artifact signing (to prove who made it) and no SLSA build provenance (to prove how it was made). Consumers are flying blind.
Governance is Buried
The OMP’s “Root of Trust” isn’t hardware—it’s human reputation. Trust is delegated to committees. And when I went to find the actual rules for promoting a contributor to a committer for key projects like Zowe and Galasa, I hit a wall. The files weren’t missing, but they were effectively hidden in non-standard repositories, creating a “security by scavenger hunt” problem.
The report provides an in-depth analysis of these vulnerabilities and offers strategic recommendations to address them. Let’s get into it.
Download the Full Report
Fill out the form to download a free copy of the full report, including a foreword by Mark Wilson, Editor of Cheryl Watson’s Tuning Letter and Technical Director at Vertali
0 Comments