Mainframe penetration testing
Finding mainframe security experts is a challenge. As a result, mainframes are often passed over during security reviews, which increases the security risk to your business-critical infrastructure. NetSPI’s mainframe penetration testing is led by one of the most qualified mainframe security experts who brings valuable insight into your LPAR security, providing actionable guidance on how to improve your mainframe security and help meet compliance requirements.
Mainframe penetration testing benefits
Why do I need mainframe penetration testing? Mainframes run your critical workloads and rely on integrity and high availability to help your business run. Due to their complicated nature and organic growth over decades, vulnerabilities may exist in your mainframe environment.
Mainframe security vulnerabilities can lead to external or internal breaches of the existing security controls. Once breached, there is high risk of compromising the confidentiality, integrity, and availability of the mainframe’s systems or data.
IBM states that the detection of mainframe vulnerabilities is the responsibility of the client, according to the standard terms and conditions of IBM’s mainframe warranty. In addition, PCI DSS, Sarbanes Oxley, and ISO standards stipulate that penetration testing needs to be performed regularly.
What does NetSPI test for?
Our testing approach is based on NIST 800-53 special publication, PCI DSS, IBM recommendations, the MITRE ATT&CK framework, and other industry best practices. Our mainframe penetration testing experts offer four types of testing:
Blackbox (unauthenticated) testing
- Network service discovery
- Vulnerability discovery and verification
- VTAM/SNA discovery
- Logical unit enumeration
- Application ID discovery
- TN3270 application testing
- Web application testing
- Password auditing
- Network job entry
Presumed breach (authenticated) testing
- Automated vulnerability discovery
- RACF/TopSecret/ACF2 testing
- Vulnerability verification and exploitation
- Offline password auditing
- APF authorization privilege escalation
- TSO, JES2, and UNIX System Services testing
- SVC privilege escalation
CICS application testing
- Tests common application vulnerabilities
- CICS transaction review/testing/exploitation
- AID testing
- BMS testing
- CICS web application testing
- CICS API testing
CICS region testing
- Check for common CICS region misconfiguration
- Enumerate/Brute force transaction IDs
- Test access to critical transactions
- Password auditing
You deserve The NetSPI Advantage
Security experts
- 300+ pentesters
- Employed, not outsourced
- Domain expertise
Intelligent process
- Programmatic approach
- Strategic guidance
- Delivery management team
Advanced technology
- Consistent quality
- Deep visibility
- Transparent results
Featured resources
Mainframe Security Misconceptions
Debunk four mainframe security misconceptions and learn why mainframe penetration testing is important.
Why zOS Mainframe Security Matters
Watch this webinar to learn what mainframes are, how they can be a risk, and what companies can do to identify security holes before threat actors do.
Hack Responsibly: The Hidden Hazards of CICS Application Testing
Understanding the need for comprehensive mainframe testing beyond individual risk assessments starts with this session on CICS and IMS app testing.
