Customer could request a Penetration Test report for JCLCHECK  to make sure that the product has been tested and there is no security vulnerability around.

What is the Broadcom Mainframe Software Division Official Policy regarding this subject.  

Release :  

Component : JCLCheck Workload Automation

With the ever-increasing focus on integrity, security, and high quality, Broadcom Mainframe Software Division is committed to delivering high-quality products. We adhere to a very strict Secure Software Development Lifecycle Process. To promote maximum software security and integrity, we have adopted a blended approach of static code scans, dynamic scans of authorized code, dynamic analysis, as well as active Penetration Testing of select products. Vulnerabilities discovered are investigated, prioritized, and addressed. As the general industry practice, we do not publish details of these discoveries. The number of products subjected to penetration testing will increase over time.

Broadcom adheres to the same integrity statement as IBM’s as described in “z/OS System Integrity Statement”.

For JCLCheck, we run - on a regular basis - dynamic scans of the code (such as found in the IBM utility zACS).  Static scans of the REST API code are performed on a regular basis as well.

With this said, currently no PEN-Testing for JCLCheck but it is a future item. We will definitely, keep you posted when the time comes.