Mainframe Application Penetration Test
This Service identifies current risks and issues associated with the identified application in the Customer’s IBM® System Z®* environment. It includes review of the application access, security controls, and application security configuration.
What you get:
BMC will perform the following for one application on one LPAR running IBM® z/OS®
- Discuss the scope and outline the high-level plan for the test
- Assess the security configuration and controls defined in the application
- Perform a White Box* penetration test that includes privilege escalation attempts using various user IDs provided by Customer
- Conduct data gathering on the application and perform analysis on the following:
- Up to 100 batch jobs (can be samples provided by Customer)
- Up to 100 online screens (can be samples provided by Customer)
- Execute application penetration test
- Analyze penetration test results
- Generate Application Penetration Test Report
- Provide encrypted Deliverable to Customer
Disclaimer: If Customer asks for suggestions on third-party equipment, software and services, BMC makes no representation or warranty whatsoever regarding such equipment, software and services or that the same shall be fit for the Customer’s purpose
Customer will be responsible for:
- Providing two basic time-sharing option (TSO) user accounts
- Providing remote access to Customer’s mainframe via Virtual Private Network (VPN) or Virtual Desktop Interface (VDI)
- Maintaining and ensuring back-ups and recovery files
- Providing instructions on how to connect to the LPAR, including such details as:
- IP address
- Port number
- Standard user ID
- SSL certificate details, if required
- Providing a high-level application description such details as:
- Application name
- Application description
- Approximate number of users
- Transaction processing environment
- Database and file datastores
- Application and data optimization techniques
- Batch processing environment
- Type of security
- Type of output management
- System connectivity
- Source code management tools
- Coding language
Deliverables: Using BMC’s standard methodology and templates, the following Deliverables are in scope for this project and will be delivered:
- Application Penetration Test Report
Completion Criteria: BMC will have completed these Consulting Services when the in-scope Consulting Services have been completed and the Deliverables have been delivered to the Customer Project Manager.
Prior to the redemption of this Service, Customer must provide advanced notification of internal security processes that require BMC to enter into any special terms and conditions before gaining access to Customer’s infrastructure.
- Customer has obtained the appropriate rights and permissions of any third parties for Customer to provide information relating to such third parties’ hardware, software and solutions and allow BMC to carry out the Services on their hardware, software and solutions that are in scope.
- Customer will provide BMC with two mainframe accounts (RACF®, ACF2 or TSS) defined to the ESM as a basic user. This user should have similar access to that of a mainframe application developer or other basic system user.
- Customer will provide hands-on-keyboard access to the mainframe for BMC consultants.
- Estimated Duration: 6-8 weeks
- In-Scope Product: BMC AMI Security
- Service Type: Advisory & Planning
- Availability: Active
- Success Service Code: BMSS_APPT_001
- Date Last Updated: 07/20/2022
- ESM – External Security Managers
- IBM z/OS – Z operating systems used by Customer
- IBM Z - is the registered trademark of International Business Machines Corporation in the United States, other countries, or both
- White Box Testing - A testing technique which checks the internal functioning of the system
z/OS, z Systems, RACF and IBM are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both.