Whether Mainframe (z/OS) or IBM i (AS/400), these systems remain the beating heart of the most sensitive infrastructures - from finance to logistics. And yet, with expertise becoming increasingly scarce and the market increasingly open to the cloud, their security is often underestimated.

Renowned for their historical robustness, these platforms now require rigorous configuration and fine-tuned monitoring to counter increasingly sophisticated risks. Performing an audit means transforming these "black boxes" into pillars of trust to guarantee business continuity and control of your digital assets.

Contact us

IBM Z security audit ( Z/OS mainframes)

Mainframes are still at the heart of today's most critical information systems. Yet the security of these environments is often poorly understood, and expertise is in short supply. This combination creates a growing risk, even though these systems host the most sensitive corporate data and processes. Reinforcing mainframe security means ensuring the continuity, confidence and control of your digital assets.

 

Your challenges

You operate in highly sensitive sectors (banking, insurance, defense, healthcare) where the Z/OS mainframe is the backbone of your business. Today, you are faced with :

  • A loss of technical expertise: the retirement of mainframe experts leaves a number of grey areas in security configuration.
  • Strong compliance requirements: the need to meet rigorous assessments such as CSPN or Common Criteria.
  • A risk to image and continuity: a compromise in this segment of the information system has a direct impact on the survival of the organization.

 

Our solutions

Oppida, a specialized firm with over 20 years' experience, provides concrete solutions to secure your Z/OS:

  • Organizational audit : structured assessment of mainframe organizational and physical security, covering governance, operational security processes and infrastructure and asset protection measures.
  • Architecture audit: technical assessment of the information system's security architecture, covering identity management, administrative access, network partitioning and logging mechanisms.
  • Configuration audit: evaluation of the security configuration of the mainframe environment (z/OS, RACF and DB2) based on STIG recommendations, covering authentication, access control, traceability and system hardening mechanisms.
  • Intrusion testing: identification and exploitation of mainframe attack vectors linked to exposed services, authentication mechanisms and misconfigurations of the system and its applications.
  • Code audit: evaluation of the robustness of security mechanisms, resource and data access management, implementation of cryptographic mechanisms and robustness of application logic, in the different languages supported (COBOL, Java, REXX...).
  • R&D expertise: our methodologies are continually enriched by the work of our in-house laboratory.

We answer your questions

IBM i (AS/400) security audit

AS/400s, now more commonly known as IBM i or System i, are technologies widely used in many sectors, from logistics and retailing to banking and insurance. These database-driven systems offer robust, efficient administration of applications and data.

Considered the "little brothers" of mainframes, they are renowned not only for their low exposure, but also for their historical robustness, stability, performance and ease of maintenance. However, with the increasing integration of new components and services, these critical systems require fine-tuned, rigorous configuration.

 

Your challenges

You use IBM i for its efficient management of business applications and data, but you're facing new challenges:

  • An extended attack surface: misconfigured services (FTP, Telnet, LDAP, POP3, DB2) can introduce new vulnerabilities.
  • Obsolete historical configurations: accumulation of privileged accounts (SECOFR, SECADM), poor password policy or misconfigured access.
  • The need for proof of security: your partners and regulators are now demanding concrete configuration audits and penetration tests.

 

Our solutions

Oppida offers a structured approach to assessing and hardening your IBM i systems:

  • Intrusion testing: identifying and exploiting attack vectors linked to exposed services, authentication mechanisms and system misconfigurations. We simulate realistic attack scenarios such as profile hijacking, Library List Poisoning (LIBL), SQL injection and Initial Program Breakout.
  • Configuration audit: evaluation of system parameters and values, review of user privileges, password policy, object protection and partitioning.
  • R&D expertise: our methodologies are continually enriched by the work of our in-house laboratory.

  • Which organizations are concerned by this type of audit?

    Security audits concern any organization with a critical information system or handling sensitive data: private companies, public institutions, operators of critical infrastructures, financial or industrial establishments.

  • Are audit results confidential?

    Yes, information gathered and audit results are treated as strictly confidential and may be covered by confidentiality agreements.

  • Which sectors are most affected?

    banking, aeronautics and insurance.

  • What is Library List Poisoning?

    This is a technique where an attacker hijacks the program search path to execute malicious code instead of legitimate software.

  • Is the configuration audit based on standards?

    Yes, we draw on our in-house experience and IBM's official hardening standards.

  • What types of audits can be carried out?

    Audits can cover a wide range of areas, including organizational security, information system architecture, infrastructure configuration (including mainframe environments), penetration testing and source code auditing.

  • How long does a safety audit take?

    The duration depends on the scope and complexity of the system being audited. In practice, an audit can last from a few days to several weeks, including the preparation, technical analysis and reporting phases.

  • How much does a security audit cost?

    The cost depends mainly on the technical scope, the number of systems to be audited and the level of depth expected. A precise estimate is generally provided after a scoping phase to identify the needs and objectives of the audit.

  • Do audits disrupt production?

    Audits are designed to minimize the impact on production environments. Certain activities, such as penetration testing, can be scheduled over specific time slots to limit operational risks.

  • Who should participate in the customer audit?

    An audit usually involves security teams, infrastructure or production teams, application managers and sometimes business teams, in order to understand operational processes and constraints.

  • How often should a safety audit be carried out?

    It is recommended to carry out a security audit on a regular basis, generally every 1 to 3 years, or when major changes are made to the information system (new architecture, migration, new critical applications).

  • What deliverables are provided at the end of the audit?

    At the end of the audit, a detailed report is delivered, including findings, risk analysis, identified vulnerabilities and a set of prioritized recommendations for improving security posture.

Discover our

news

Why

choose Oppida?

1

A tailor-made offer

Expertise, assessment and consulting services to manage your digital risks.
""

A trusted third party

The approvals and accreditations we have obtained guarantee the absence of outside pressure and the confidentiality of our work.
3

Recognized expertise

Oppida is PASSI LPM qualified "information systems security audit providers qualified for national security requirements".