Pentest Mainframes
Protect Your Systems and Applications
In industries such as finance and insurance, airlines or retail, large volumes of sensitive data must be processed on a regular basis. Since mainframe solutions are particularly powerful, they continue to be the preferred choice in these industries in particular. In addition, mainframes and their operating systems, such as z/OS or AS/400 (System i), are generally considered to be particularly robust and secure. But even here, errors in development as well as configuration and operation can lead to vulnerabilities with consequences that threaten the very existence of companies. For this reason, mainframe solutions should also be subjected to regular technical security checks.
Did you know?
Standards such as PCI and ISO as well as the regulatory requirements of the German Federal Financial Supervisory Authority (BAIT, KAIT, ZAIT) demand regular penetration tests on the mainframe. In addition, IBM's standard warranty terms and conditions make vulnerability detection the client's responsibility.
How can we help?
We combine expert knowledge in the configuration and operation of mainframes with years of experience in security analysis and penetration testing (pentesting).
Using a combination of greybox pentest, code review and security audit, we identify critical vulnerabilities on the mainframe and in applications running on it that can be exploited for unauthorized access or privilege escalation, for example.
Common vulnerabilities include:
- Faulty identity and access management
- Use of default passwords and weak password management
- Incorrect database configurations
Our Approach to Mainframe Pentests
The test consists of 3 phases:
Nicht bearbeiten!
Phase 1: Preparation and scoping
In the run-up to the pentest, our security analysts coordinate with the responsible contact persons from your company on the specific scope, the test content, the schedule and your obligations to cooperate.
Phase 2: Mainframe pentests on configuration and hardening levels
Gathering information on, among other things:
- The PL parameters for current IPL, the APF authorization, the Linklisted and LPA records, the JES Spool & Checkpoint records, the Page & SMF records, and the IPLPARM & Parmlib records,
- the hardware configuration, including the IODF datasets and the ISPF datasets (CLIST, REXX, etc.),
- the security systems or ESMs (e.g. RACF, ACF2 & TSS) for all previously mentioned data sets.
Review of configuration and hardening
Our analysts perform a comprehensive analysis of your mainframe environment. The following reviews are included:
- Review of privileged users (e.g. SPECIAL, NON-CNCL, UID(0)) as well as critical datasets (e.g. LINKLIB, PARMLIB, LPA, APF, JES2 / JES3 spool)
- Checking for the extension of user rights, e.g. by exploiting Authorized Program Facility (APF) libraries or via Network Job Entry (NJE)
- Checking of Public Resources, User SVCs, MVS & JES2 / JES3 Command Authority, RACF/TSS/ACF2 Exits, MVS Subsystems (IMS, Db2, CICS, NETView, etc.), MVS UNIX Environment
- Examination of access rights for e.g. RACF databases as well as the RACF PassTicket functionality
Phase 3: Pentest of mainframe applications
Our analysts test applications for security-critical malfunctions in the application logic, in access to the (operating) system, and in the interpretation and provision of data. During the pentest, they use various test procedures depending on the application to be tested.
The following tests are part of it, among others:
- Analysis of application behavior with modified input values (manually and by fuzzing) to identify weaknesses in system integration.
- Analysis of the transfer of sensitive information between frontend and backend
- Consideration of interfaces for secure interpretation of processed information, as well as secure serialization of provided information
- Identification and exploitation of unsecured administration interfaces (exploitation takes place only after consultation or approval)
- Investigation of application-specific permissions in RACF
Are your systems protected against attackers?
We are happy to discuss your options for analyzing your systems and applications by our security analysts. Feel free to contact us.