Finding qualified mainframe security experts with an in depth understanding of the z/OS architecture is a challenge. As a result, mainframes are often passed over during security reviews, which creates risk to some of the business’s most critical infrastructure. Key Resources, Inc has those specialists, and we offer mainframe penetration testing that provides the analysis and reporting you require for compliance.
We Identify Code and Configuration Vulnerabilities in Your z/OS Mainframe Systems
While z/OS mainframe deployments can be far more secure than other platforms, they can still suffer from critical software and configuration vulnerabilities. These vulnerabilities often can be exploited via a simple REXX Exec, which presents significant risks to your company.
IBM’s z/OS Authorized Assembler Services Guide states that you are responsible for making sure that anything you install on each z/OS system you maintain meets the criteria of the integrity statement.
To ensure that system integrity is effective and to avoid compromising any of the integrity controls provided within the system, the installation must assume responsibility for the following:
Additionally, compliance with industry standards such as PCI, Sarbanes Oxley (SOX) and ISO standards require that penetration testing must be performed regularly.
Our Mainframe Penetration Testing Service
Our penetration testing experts test the following areas:
Our Mainframe Penetration Testing Service
Phase 1: Data Collection
We gather information that is necessary to build our test cases. We gather the following data unique to each client.
Phase 2: Mainframe Penetration Testing
Run through our checklists to determine if privilege escalation is possible.
Phase 3: Software Scan
z/Assure Vulnerability Analysis Program is executed to scan for integrity exposures found in Supervisor Call (SVC) Interfaces, Operating System Exits, Program Call (PC) Routines and authorized Program Function (APF) calls.
Detailed reports are generated for each vulnerability that allow for quick remediation by the code owner. Once the code is remediated, we run through a second check of the offending program to make sure the code has been fixed and no new vulnerabilities have been introduced.