TECH_277: A Pentesters View of the State of ZOS Security Real-World Observations from the Field
Project and Program:
Security
Tags:
Proceedings,
SHARE Orlando 2026,
2026
Philip (Soldier of FORTRAN) and David (VideoMan) are professional mainframe hackers. Over the years they've tested dozens of LPARs and applications across financial services, healthcare, and government sectors. This talk examines the current state of z/OS security based on real-world penetration testing findings. We'll explore why fundamental security controls remain poorly implemented despite being technically feasible for decades. Multi-factor authentication adoption is limited, network segmentation is rare, and passphrases longer than 8 characters are still uncommon in 2025. Through live demonstrations, we'll show you how penetration testers exploit these gaps—from enumerating TSO users and mapping datasets to accessing unprotected job output and leveraging misconfigured CICS transactions. These demos illustrate the practical impact of common configuration weaknesses. We'll also discuss the organizational disconnect between mainframe teams and cybersecurity organizations that leaves CISOs with limited visibility into their most critical systems. When the teams managing trillion-dollar transaction platforms operate separately from enterprise security, important security controls can fall through the cracks. The positive side? Z/OS is highly securable—most findings are preventable through proper configuration. This session will provide actionable recommendations for closing these gaps, leveraging industry frameworks like NIST checklists and CIS benchmarks. We'll cover both quick wins and longer-term projects worth prioritizing.Whether you're a system programmer, security professional, or IT leader, you'll leave with concrete steps to improve your mainframe security posture and demonstrations you can reference when discussing security priorities.
Back to Proceedings File Library