Mainframe Penetration Testing

Finding mainframe security experts is a challenge. As a result, mainframes are often passed over during security reviews, which increases the security risk to your business-critical infrastructure. NetSPI partners with one of the most qualified mainframe security experts to offer you the mainframe penetration testing service with the coverage you need.

Improve IBM z/OS Mainframe System Security

While z/OS mainframe deployments are far more secure than other platforms, they still suffer from critical software and configuration vulnerabilities. Often, these vulnerabilities can be exploited via a simple REXX Exec, which presents significant risks to your company.

NetSPI’s mainframe security experts use a proven approach to mainframe penetration testing on IBM z/OS systems to identify security vulnerabilities that exist within your mainframe.

Mainframe Penetration Testing Service

During an onsite or remote pentest, our mainframe penetration testing experts test the following areas from multiple user perspectives to identify high-risk privilege escalation paths:

  • Library access checks
  • Password checks
  • Public dataset checks
  • Public resource checks
  • User SVC checks
  • MVS and JES2/JES3 command authority checks
  • RACF/TSS/ACF2 exit checks
  • ES2/JES3 spool dataset checks
  • MVS subsystem checks (IMS, DB2, CICS, NetView, etc.)
  • MVS UNIX environment checks
  • Miscellaneous checks

Why Do I Need Mainframe Penetration Testing?

Mainframe security vulnerabilities can lead to external or internal breaches of the existing security controls. Once breached, there is high risk of compromising the confidentiality, integrity, and availability of the mainframe’s systems or data.

IBM states that the detection of mainframe vulnerabilities is the responsibility of the client, according to the standard terms and conditions of IBM’s mainframe warranty. In addition, PCI DSS, Sarbanes Oxley, and ISO standards stipulate that penetration testing needs to be performed regularly.


Pentesting Research and Tools

Learn about penetration testing on our blog, our open source penetration testing toolsets for the infosec community, and our SQL injection wiki.