The RSM Partners Mainframe Penetration Testing service seeks to identify risks that exist in your IBM Z mainframe systems. This enables you to plan appropriate action to plug gaps, strengthen your defences, protect business critical operations and comply with industry standards.
World-class expertize to identify vulnerabilities and plan your response
Understanding the risks
Mainframe penetration testing and vulnerability testing are essential. Vulnerabilities come in two forms: infrastructure and software. Mainframe infrastructure vulnerabilities result from failings in hardware configuration, system configuration parameters and security system controls. Software vulnerabilities arise from poor design and coding standards in the z/OS operating system, Independent Software Vendor products and in-house coding. Such vulnerabilities can allow a basic user to gain access to any resources and data on the system, leading to the potential for serious breaches that can compromise both system and data.
Our technical skills and experience help you to understand and mitigate those risks, revealing mainframe vulnerabilities and enabling remediation to be planned and prioritized. Deliverables include:
Initial findings provided onsite
Mainframe Penetration Test Report issued within two weeks of onsite testing
Optionally, a demonstration of one of the exploits discovered
Client Checklist for recommended remediation activities
RSM Partners consultants meeting in-house personnel and/or ISVs to discuss vulnerabilities identified
Essential testing - made easy
Under standard warranty terms and conditions, IBM puts responsibility for detection of mainframe vulnerabilities on their clients. Additionally, compliance with industry standards such as PCI, Sarbanes Oxley and ISO standards requires that penetration testing must be performed regularly.
RSM Partners recommended 3-Phase Mainframe Penetration Testing Process includes:
Phase 1: Non Disruptive Data Collection - our experts gather data including: IPL Parameters for current IPL; APF Authorised, Linklisted and LPA Datasets; JES Spool & Checkpoint Datasets; Page & SMF Datasets; IPLPARM & Parmlib Datasets; Hardware Configuration, including IODF Datasets; ISPF Datasets (CLIST, REXX, etc.); and security Information for all of the above (RACF, ACF2 & TSS).
Phase 2: Mainframe Penetration Testing - our experts probe your mainframe environment intensively, determining if it's possible to elevate privileges, including: Library Access Checks, Password Checks, Public Dataset Checks, Public Resource Checks, User SVC Checks, MVS & JES2 / JES3 Command Authority Checks, RACF/TSS/ACF2 Exit Checks, JES2 / JES3 Spool Dataset Checks, MVS Subsystem Checks (IMS, Db2, CICS, NETView, etc.), MVS UNIX Environment Checks, and Miscellaneous Checks
Phase 3: Software Scan - working across your systems, a special vulnerability scanning software tool is deployed, using proprietary fuzzy logic technology to identify system integrity exposures found in Supervisor Call (SVC) Interfaces, Operating System Exits, Program Call (PC) Routines and Authorised Program Function (APF) calls - collecting code vulnerability data and generating a detailed report that lists vulnerabilities - enabling prompt and targeted remediation action.
Download our Mainframe Penetration Testing datasheet here
Engaged by the audit partner of two large UK-based insurance companies, we perform regular mainframe penetration tests, revealing and risk assessing various issues, planning remediation and enabling these insurers to comply with regulatory requirements.
Example Client Engagement