Introduction
As enterprises on IBM z/OS embrace open source tools to modernize applications and drive DevOps, a critical question emerges: How can you be certain that the open source you deploy meets the same high security standards as the mainframe it runs on?
This article details how IBM builds the foundation of trust for IBM Open Enterprise Foundation for z/OS (OEF), a no-cost suite of foundational open source tools, including Git, Bash, Perl, Curl, Vim, and more that have been ported, vetted, and packaged for z/OS.
Delivered with world-class IBM support at no cost, OEF gives organizations the confidence to adopt and scale open source on the mainframe. Available as a standalone, no-charge product in Shopz and provided as a bypassable requisite when ordering z/OS, the suite includes tools ported to behave consistently with their upstream Linux and UNIX counterparts. This allows teams to reuse CI/CD scripts, automation workflows, and familiar development practices with minimal changes. OEF accelerates onboarding, reduces friction, and brings modern DevOps practices to the mainframe without compromising on security or support.
This article outlines how IBM builds trust in the OEF toolchain, from supply chain security and vulnerability management to continuous maintenance and support.
1. A Software Supply Chain for z/OS Designed with Security in Mind
The widespread use of open source brings the challenge of supply chain security into sharp focus. When a critical vulnerability is discovered, organizations must quickly answer, "Are we exposed, and how do we get a fix?"
IBM Open Enterprise Foundation for z/OS (OEF) helps address this challenge by delivering a curated, security-vetted set of open source tools through SMP/E. While IBM's ability to provide a fix is often dependent on the open source community releasing an upstream patch, our value is in managing the entire lifecycle on behalf of our clients. We actively monitor the community projects, and once a fix is available, we incorporate, test, and deliver it as a PTF. This streamlines vulnerability response by providing a single, reliable inventory and a consistent process for receiving updates, ensuring enterprises can adopt open source with confidence.
IBM is also engaged in contributing actively to the open source communities, contributing z/OS-specific fixes and enhancements for tools like Git, Bash, Perl, and Vim back to the upstream open source projects where appropriate.
This model of vendor support aligns directly with industry expectations; this report found that 82% of IT leaders are more likely to trust a vendor who actively contributes and supports the open source community.
2. The IBM Vetting and Support Process
IBM's process for handling the tools in OEF is designed to manage risk and provide enterprise-level support. The process is governed by the principles of IBM Security and Privacy by Design (SPbD@IBM), applied once the software is brought into our z/OS toolchain.
Key elements of this process include:
- Vulnerability Scanning: The versions of the open source packages selected by IBM are scanned using industry-standard tools to identify known vulnerabilities (CVEs).
- Static Code Analysis: In addition to checking for known CVEs, the source code is also analyzed using Static Application Security Testing (SAST) tools. This analysis helps identify potential coding flaws, common bug patterns, and security weaknesses that may not yet be public vulnerabilities, which IBM then works to remediate before the software is packaged.
- Delivery Platform: The tools are delivered in a standard, auditable SMP/E format via Shopz, helping to ensure their integrity and providing an audit trail from IBM to your system.
- Full IBM Support Available: For clients with a standard z/OS software support contract, the tools in OEF are automatically fully supported. This means you can open a support case for issues with these tools, just as you would for other IBM Z software products.
3. Continuous Maintenance
IBM's ongoing commitment to Open Enterprise Foundation for z/OS (OEF) is reflected in a consistent and transparent update process.
The "Fix List for IBM Open Enterprise Foundation for z/OS" provides a list of all OEF PTFs.
A primary goal is to deliver currency with the open source community, ensuring z/OS developers have access to recent features and enhancements, and most importantly, security fixes for known vulnerabilities (CVEs).
The evidence for this is clear in the regular version updates to core components.
- For example, Git was systematically updated from its initial release at version 2.45.1 to 2.50.1 (as of this writing) through a series of PTFs in less than a year.
- Similarly, other key tools like Perl, Curl, and Vim consistently received version refreshes, keeping the OEF product aligned with the upstream open source projects.
To help clients track which PTF a tool originated from, the iden command can be used to display metadata about the installed version. For example:
iden /path/to/git
git:
Vendor:IBM_OEF_1.1.0.5 BuildRev:683c54c 2025-04-24 12:12:54 EDT
4. Structured Vulnerability Disclosure
Reflecting the platform's critical role in enterprise operations, IBM maintains a unique security disclosure policy for IBM Z. The central component of this policy is the IBM Z Security Portal, which is available to entitled clients and requires authorization for access. This controlled approach ensures that sensitive vulnerability details are treated as IBM Confidential and shared responsibly to minimize risk across the ecosystem.
The portal is the authoritative source for security bulletins (APARs with a SECINT field) related to IBM Z software. These bulletins provide details on the vulnerability, including a Common Vulnerabilities and Exposures (CVE) identifier when applicable and a Common Vulnerability Scoring System (CVSS) base score. The CVSS score is an industry-standard metric that helps clients conduct their own risk assessments and prioritize remediation within their specific environment.
This disclosure process is managed by IBM's Product Security Incident Response Team (PSIRT). For a detailed overview of IBM's vulnerability management philosophy and practices, you can review the official IBM Security Vulnerability Management page.
Help Shape the Future of OEF
IBM welcomes your input in shaping the future of open source on z/OS.
If there’s a specific open source tool you would like to see added to OEF, please submit your idea via the IBM Ideas Portal.
Client feedback plays a crucial role in how we evolve and expand the toolkit — your request could help bring the next essential open source tool to the platform.