Finding qualified mainframe security experts with an in depth understanding of the z/OS architecture is a challenge. As a result, mainframes are often passed over during security reviews, which creates risk to some of the business’s most critical infrastructure. Key Resources, Inc has those specialists, and we offer mainframe penetration testing that provides the analysis and reporting you require for compliance.

We Identify Code and Configuration Vulnerabilities in Your z/OS Mainframe Systems

While z/OS mainframe deployments can be far more secure than other platforms, they can still suffer from critical software and configuration vulnerabilities. These vulnerabilities often can be exploited via a simple REXX Exec, which presents significant risks to your company.

IBM’s z/OS Authorized Assembler Services Guide states that you are responsible for making sure that anything you install on each z/OS system you maintain meets the criteria of the integrity statement.

 To ensure that system integrity is effective and to avoid compromising any of the integrity controls provided within the system, the installation must assume responsibility for the following:

  • Physical environment of the computing system.

  • Adoption of certain procedures (for example, the password protection of appropriate system data sets) that are a necessary complement to the integrity support within the operating system itself.

  • That its own modifications and additions (3rd Party Software) to the system do not introduce any integrity exposures. That is, all installation-supplied authorized code (for example, an installation SVC) must perform the same or an equivalent type of validity checking and control that the system uses to maintain its integrity.

Additionally, compliance with industry standards such as PCI, Sarbanes Oxley (SOX) and ISO standards require that penetration testing must be performed regularly.

Our Mainframe Penetration Testing Service

Our penetration testing experts test the following areas:

  • APF Library access checks

  • Password checks

  • JES2/JES3 command authority checks

  • RACF/TSS/ACF2 exit checks

  • JES2 / JES3 spool dataset checks

  • MVS subsystem checks (IMS, DB2, CICS, NetView, MQ, etc.)

  • MVS UNIX, VM, Linux checks

  • Scanning of SVC’s, PC Routines

Our Mainframe Penetration Testing Service

Phase 1: Data Collection

We gather information that is necessary to build our test cases.  We gather the following data unique to each client.

  • IPL Parameters for current IPL of the system we are testing,

  • APF Authorized Libraries,

  • Linklist and LPA Datasets listings,

  • JES Spool & Checkpoint Datasets,

  • Page & SMF Datasets,

  • IPLPARM & Parmlib Datasets,

  • Hardware Configuration

  • ISPF Datasets (CLIST, REXX, etc.)

Phase 2: Mainframe Penetration Testing

Run through our checklists to determine if privilege escalation is possible.

Phase 3: Software Scan

z/Assure Vulnerability Analysis Program is executed to scan for integrity exposures found in Supervisor Call (SVC) Interfaces, Operating System Exits, Program Call (PC) Routines and authorized Program Function (APF) calls.

Detailed reports are generated for each vulnerability that allow for quick remediation by the code owner.  Once the code is remediated, we run through a second check of the offending program to make sure the code has been fixed and no new vulnerabilities have been introduced.