Costin Enache wrote: >Why you need the assessment for? If you need it for some certification / legal >purpose, then there are cheap, not too technically advanced solutions out >there. If you are actually looking into detecting and addressing security >issues, then it gets complicated :)
Good first question! Ask that 'WHY' question and ask it again. ;-) >... a penetration test, ... From where? Costs can vary wildly depending on type of Pen Test and origin of those tests (within mainframe or from outside) and usage of whatever utilities. >Once you have decided what type of assessment you are looking for, you should >define the scope of the project: ... Another good question: What is the scope? z/OS? Application? Mainframe Network and/or other network connecting to the mainframe? OMVS setup? RACF or ESM? etc. >There will be plenty of companies claiming to do mainframe security >assessments, coming from the penetration testing field, with little if any >mainframe experience, who would fire some tools, maybe crash some things, give >you an absurd, pointless report. Indeed. One PT in the past resulted in heavy network load. Next time, 'they' have to arrange for a date/time *before* they repeat their PT. 'They' tried once to repeat their PT without formal approval and later complained why we blocked their system to access our mainframe. Tsk, tsk, tsk. Too bad, too sad. >Maybe it will be cheap, but useless. Those cheapies asked me *why*, oh *why* is there not an Anti-Virus package and Malicous Software detection installed on z/OS (excluding Linux and similar animals of course). >Before selecting a provider, make sure you talk to them, interview the >auditors and make sure they are familiar with mainframes, ... You can also ask them, if they find a problem, what would *they* suggest to fix it. It will demonstrate their real skills. Groete / Greetings Elardus Engelbrecht ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN