Mainframe Penetration Testing

Finding mainframe security experts is a challenge. As a result, mainframes are often passed over during security reviews, which creates risk to some of the business’s most critical infrastructure. NetSPI partners with one of the world’s most qualified mainframe security experts to offer mainframe penetration testing that provides the coverage you need.

Identify Vulnerabilities in Your IBM z/OS Mainframe System

While the z/OS mainframe deployments can be far more secure than other platforms, they can still suffer from critical software and configuration vulnerabilities. These vulnerabilities often can be exploited via a simple REXX Exec, which presents significant risks to your company.

NetSPI partners with mainframe security experts who use a proven approach to mainframe penetration testing on IBM z/OS systems to identify security vulnerabilities that exist within your mainframe.

Our Mainframe Penetration Testing Service

During an onsite or remote pentest phase, our penetration testing experts test the following areas from multiple user perspectives to identify high risk privilege escalation paths:

  • Library access checks
  • Password checks
  • Public dataset checks
  • Public resource checks
  • User SVC checks
  • MVS & JES2/JES3 command authority checks
  • RACF/TSS/ACF2 exit checks
  • ES2 / JES3 spool dataset checks
  • MVS subsystem checks (IMS, DB2, CICS,NetView, etc.)
  • MVS UNIX environment checks
  • Miscellaneous checks

What to Know About Mainframe Penetration Testing

Mainframe security vulnerabilities can lead to external or internal breaches of the existing security controls. Once breached, there is high risk of compromising the confidentiality, integrity, and availability of the mainframe’s systems or the data residing within.

IBM states that the detection of mainframe vulnerabilities is the responsibility of the client, according to the standard terms and conditions of IBM’s mainframe warranty. In addition, PCI, Sarbanes Oxley, and ISO standards stipulate that penetration testing needs to be carried out regularly.

Pentesting Research and Tools

Learn about penetration testing on our blog, our open source penetration testing toolsets for the infosec community, and our SQL injection wiki.