Summary
Despite their importance, mainframes are often under-tested or misunderstood. In this article, we dive into the best practices of mainframe security testing and practical safeguards with our Security Consultant and Global Mainframe Lead, James Boorman.
Intro to mainframes
Strictly speaking, “mainframe” refers to systems like IBM z/OS, Unisys ClearPath, or certain Fujitsu models. Whether you’re calling it a mainframe or a midrange system with mainframe DNA, the security challenges, operational behaviors, and strategic importance remain largely the same.
These applications are built up over time and are highly interconnected to meet strict regulatory demands. What looks simple on the surface involves numerous systems working together to review customer information, verify transactions, and manage accounts.
Common attack paths in mainframe environments
Most mainframe vulnerabilities stem from access control misconfigurations, which makes privilege escalation and unintended data exposure real concerns. Let’s break down the most common and practical attack paths.
Most vulnerabilities stem from access control misconfigurations.
1. Surrogate chaining
One of the standout techniques is surrogate chaining, where an attacker abuses job submission permissions to run code under higher privileged user IDs. If User A can act as User B, and User B can act as User C, then User A effectively gains User C’s privileges, even without direct rights. These chains can grow complex and be exploited if not carefully managed, especially in large systems with sprawling permission structures.
2. Application breakouts
In online applications, attackers often look for a way to break out of the app’s restricted environment. By triggering errors or manipulating inputs, they aim to reach the underlying command environment, such as the CICS region. Having gained broader control, an attacker can start probing what access is possible at the platform level, even if they entered with a low privilege account.
3. Network-based entry points
Network-focused attack paths exist but are less common in practical testing. Gaining entry without credentials or direct access is difficult, given that most controls live inside the mainframe. Still, misconfigured services or stolen credentials through phishing can open doors, and these shouldn’t be overlooked.
4. Permission hopping via shared jobs or datasets
Mainframe security often revolves around resource protection and access assignments. If an attacker can alter a job that runs under another user’s credentials, they inherit that user’s access. Misconfigured datasets, improperly secured USS (Unix System Services), and over-permissioned profiles can make these jumps surprisingly easy.
Mainframe security largely comes down to navigating complex webs of access. System owners should stay vigilant, review permission hierarchies regularly, and test not just individual applications, but also how they connect across the environment. With thousands of users and highly interconnected apps, one weak link can expose the rest.
Mainframe security testing: platform vs. application
Security testing for mainframes typically happens on two levels:
- Platform-level reviews. Broad assessments, similar to a build review. They target the overall platform, checking subsystems and mainframe specific controls. Because mainframes can host hundreds of applications and thousands or tens of thousands of databases and tables, going deep isn’t practical. Understanding why each person has access to every table would take mind-numbingly long. Instead, the assessment focuses on the wider configuration of the operating system and its subsystems, identifying systemic misconfigurations and weaknesses at the cost of specificity.
- Application-level reviews. More focused and context-rich. Testers examine specific apps, like a payment review tool, along with the data it uses, who can access it, and how it behaves. This approach is typically suitable for assurance driven compliance and provides visibility into the security posture of the specific application and its resources. However, since mainframe applications rarely exist in isolation, this method can miss both the wider solution and the bigger system picture, especially when applications rely heavily on each other.
The gap can be bridged with strategic middle-ground assessments. These look at clusters of related applications (such as the 40 systems that make up a payment engine) to understand how data flows between them, where interdependencies lie, and how attackers might move laterally.
It’s a space where purple teaming or attack path mapping can add real value, combining offensive and defensive testing to simulate realistic threats through complex environments as part of a mainframe security assessment.
Strengthen your critical systems with a holistic mainframe security assessment that prevents breaches and reduces your attack surface.
Explore serviceThe reality of mainframe security testing
Mainframe systems often sit at the heart of an organization’s infrastructure, quietly powering critical operations behind the scenes. Despite their importance, they are frequently under-tested or misunderstood. This stems not just from their legacy nature but from a skills gap and a tendency to treat them as untouchable black boxes.
Mainframe security testing isn’t commonly practiced; it’s a niche skill set, and few professionals specialize in it. In many cases, organizations say they test mainframes but restrict those efforts to unauthenticated network scanning. When services don’t respond or appear hardened, testers often walk away satisfied. The result is superficial assessments that miss systemic vulnerabilities.
Organizations say they test mainframes but restrict those efforts to unauthenticated network scanning.
Why a combined platform and application approach matters
The organizations that truly commit to effective mainframe testing take a , separating platform-level configuration and application-level security within a comprehensive mainframe security assessment. This dual perspective provides:
- Broad visibility into how infrastructure wide settings affect individual components
- Granular understanding of application specific risks, such as poorly configured authentication or insecure data storage
- Coverage for legacy weaknesses that stem from outdated assumptions about how the systems work
Testing both dimensions helps uncover attack paths rooted in decades-old code and documentation gaps.
Testing frequency: Compliance vs. proactivity
Security testing cycles vary widely. Some enterprises test mainframes only to meet compliance thresholds, annually or once every few years, depending on system criticality. Others take a more proactive stance, building regular mainframe testing into their operational security roadmap.
Some organizations still neglect to perform routine, comprehensive mainframe testing.
Common misconceptions and hidden risks
One recurring theme in mainframe testing is the prevalence of assumptions:
- “The application passwords are encrypted” until closer inspection reveals they’re stored in plaintext.
- “Application IDs can only be used by one user” until a tester successfully impersonates another user.
- “No one can access this system” until someone tries… and succeeds.
These myths persist because documentation is missing, incomplete, or lost to time. The problem is made worse by knowledge silos and shrinking subject matter expertise.
Mainframe security: Best practices for organizations
Mainframes continue to run critical services in many industries. Their longevity does not make them secure by default. Here are mainframe best practices to prioritize:
1. Follow vendor guidance, and actually apply it
Leading vendors, such as IBM, publish extensive best practice documentation for securing their platforms and subsystems. These resources offer practical architecture guidance and proven security configurations. Too often they’re overlooked or only partially implemented. The first security win is making sure they’re followed properly.
2. Perform regular, context-aware security testing
Mainframes shouldn’t be tested once every few years just to tick a compliance box. Security assessments should be recurring and adapted to each organization’s setup. Testing should span:
- Platform-wide evaluations to examine overall configuration and access control
- Application-level reviews that uncover business logic flaws and interface risks
- Strategic audits tailored to the organization’s architecture and threat landscape
No two mainframe environments are identical, even when they run similar software. Testing should reflect how each system is deployed and configured.
3. Configure the security subsystem correctly
Mainframes use internal security subsystems to enforce access controls and define privilege boundaries. Misconfigurations here can undermine the entire platform. Organizations should:
- Audit subsystem roles, groups, and policies regularly
- Enforce least privilege for users and services
- Ensure separation between test and production environments
4. Lock down network access with firewalls and segmentation
Production mainframes should be isolated from internal networks wherever possible. Strict firewalling and zone segregation help prevent lateral movement and unauthorized access. Air-gapped designs or tightly controlled access paths are ideal for critical workloads.
5. Monitor and audit with intelligence
Basic logging isn’t enough. Security teams should implement monitoring with alerts tied to behavioral anomalies, for example:
- A Db2 table accessed at unusual hours
- An unexpected admin login from a new source
- Privilege escalation attempts outside approved workflows
Correlating these events across logs can surface hidden attack paths or misconfigurations.
6. Modernize authentication and access management
Many mainframes still rely on legacy password practices. Eight-character passwords with low complexity are common. Modern integrations exist and should be adopted:
- Enable multi-factor authentication (MFA)
- Use privileged access management tools
- Implement just-in-time access for high privilege accounts
- Rotate sensitive credentials on a schedule or per use
Security maturity varies, but updates here can improve defenses with relatively little friction.
8. Encrypt sensitive data at rest
A surprising number of legacy systems still store sensitive data in plain text. Apply current encryption standards wherever sensitive data resides:
- Within databases and application tables
- In archival or regulatory storage
- For data in transit, avoid legacy SSL and TLS versions
Data-at-rest encryption helps protect against insider threats and improperly scoped access.
Industry-specific mainframe security practices
Mainframes are deeply embedded in sectors like finance, healthcare, aviation, insurance, and government. Even within the same industry, they’re configured and deployed in very different ways. While broad mainframe security principles apply, some contexts call for targeted best practices and awareness of specific regulatory frameworks.
Financial institutions: More than compliance
In banking and finance, mainframes often handle core transaction processing and customer data. These systems may fall under mandates such as PCI DSS when cardholder data is involved. PCI DSS offers checklists-tyle guidance for testing and encryption, but it should be treated as a starting point:
- Treat PCI DSS as a baseline, not the finish line.
- Customize testing to reflect actual platform risk.
- Ensure sensitive data such as identifiers, credentials, and financial records is encrypted at rest and in transit.
Legacy systems can slip out of modern compliance pipelines simply because they’re hard to test.
Aviation: Legacy systems that still fly
Airlines rely heavily on mainframes for reservations, departure control, and crew scheduling. Despite that dependence, these systems are often considered untouchable. Even if direct testing is challenging, aviation operators should prioritize:
- Network segregation of operational systems from passenger-facing applications
- Monitoring of batch jobs and scheduling access to detect potential abuse
- Updating authentication mechanisms across reservation platforms that integrate with legacy backends
While not bound by PCI DSS across the board, aviation companies still handle sensitive data such as passport numbers, personal information, and payment details, and must comply with international privacy laws and standards.
Avoid minimum viable testing
Regulated or not, requirements are only a floor. Best practice is simple: don’t settle for the bare minimum. Legacy systems are as critical as newer applications, often more so. Visibility is limited, the technology stack carries decades of change, and integration with modern platforms is tight. That combination makes mainframe environments both highly valuable and easier to misjudge.
Organizations should:
- Treat mainframes as active components of modern architecture
- Test regularly and purposefully, beyond compliance thresholds
- Integrate mainframe security into enterprise-wide strategies
How Reversec can help
Our mainframe security assessment provides a holistic view of your environment, with end-to-end coverage that includes applications, network exposure, operating system controls, and other interactions within the wider environment. This approach helps you apply layered security controls and meaningfully reduce your attack surface.
We blend scarce mainframe security skills with modern testing techniques and tailor each assessment to your needs, providing maximum coverage and assurance aligned with mainframe security best practices. Our team also brings industry-specific experience from finance, aviation, healthcare, and government clients.
