Presentation
A Pentester's View of the State of Z/OS Security: Real-World Observations from the Field
DescriptionPhilip (Soldier of FORTRAN) and David (VideoMan) are professional mainframe hackers. Over the years they've tested dozens of LPARs and applications across financial services, healthcare, and government sectors. This talk examines the current state of z/OS security based on real-world penetration testing findings.
We'll explore why fundamental security controls remain poorly implemented despite being technically feasible for decades. Multi-factor authentication adoption is limited, network segmentation is rare, and passphrases longer than 8 characters are still uncommon in 2025. Through live demonstrations, we'll show you how penetration testers exploit these gaps—from enumerating TSO users and mapping datasets to accessing unprotected job output and leveraging misconfigured CICS transactions. These demos illustrate the practical impact of common configuration weaknesses.
We'll also discuss the organizational disconnect between mainframe teams and cybersecurity organizations that leaves CISOs with limited visibility into their most critical systems. When the teams managing trillion-dollar transaction platforms operate separately from enterprise security, important security controls can fall through the cracks.
The positive side? Z/OS is highly securable—most findings are preventable through proper configuration. This session will provide actionable recommendations for closing these gaps, leveraging industry frameworks like NIST checklists and CIS benchmarks. We'll cover both quick wins and longer-term projects worth prioritizing.
Whether you're a system programmer, security professional, or IT leader, you'll leave with concrete steps to improve your mainframe security posture and demonstrations you can reference when discussing security priorities.
We'll explore why fundamental security controls remain poorly implemented despite being technically feasible for decades. Multi-factor authentication adoption is limited, network segmentation is rare, and passphrases longer than 8 characters are still uncommon in 2025. Through live demonstrations, we'll show you how penetration testers exploit these gaps—from enumerating TSO users and mapping datasets to accessing unprotected job output and leveraging misconfigured CICS transactions. These demos illustrate the practical impact of common configuration weaknesses.
We'll also discuss the organizational disconnect between mainframe teams and cybersecurity organizations that leaves CISOs with limited visibility into their most critical systems. When the teams managing trillion-dollar transaction platforms operate separately from enterprise security, important security controls can fall through the cracks.
The positive side? Z/OS is highly securable—most findings are preventable through proper configuration. This session will provide actionable recommendations for closing these gaps, leveraging industry frameworks like NIST checklists and CIS benchmarks. We'll cover both quick wins and longer-term projects worth prioritizing.
Whether you're a system programmer, security professional, or IT leader, you'll leave with concrete steps to improve your mainframe security posture and demonstrations you can reference when discussing security priorities.
Contributors
Director Mainframe Penetration Testing
Principle Mainframe Penetration Testing
Event Type
Technical Session
TimeMonday, February 231:15pm - 2:15pm EST
LocationSalon 20
Network Security and Management
Security and Compliance
z/OS Systems Programming
Strengthen Security & Access Controls
Service Delivery
Best Practices Session
Intermediate
Security Warrior