Security is critical

Inadequate security can prevent your application from being deployed in two ways:

• Most clients need approval from the IT security group who review the application’s security before the project team can put the application into production.
• If a client is building their application with Deployment Manager, the application will be blocked if the Security Checklist has not been completed.

Your responsibility as an administrator, senior system architect, or lead system architect is to ensure the confidentiality, integrity, and availability of your application. Unauthorized individuals should not be able to access or modify the application or the data it creates and stores. Further, users should only have access to those application functions and data that are necessary to perform their jobs.

Assign responsibility for administering security

At the beginning of application development, determine who is responsible for verifying the completion of the tasks in this checklist, and assign clear responsibility for each task to the Security Administrator.

• Create a Security Administrator work queue.
• Add operators to this work queue who are responsible for verifying the completion of checklist tasks.
• Click the option on each task to create a corresponding user story, give it a high priority, and assign to this work queue.

  For more information, see Notifying operators of work queue activity.

Independent security assessment

An independent assessment of your application’s security, and sign-off of that assessment, is always recommended and is required by most organizations’ IT Security groups.

Guardrail compliance: the basis of a secure application

The most important security requirement for all Pega Platform applications is to maintain guardrail compliance. Pega Platform security features cannot always be successfully enforced in custom code.

Use the built-in security configuration features in Pega Platform to protect your application, and do not rely on custom code built by developers who are not security experts.

Review the Application Guardrails landing page weekly and make changes to keep your application rules in compliance.

Do not wait until deploying your application to eliminate non-compliant rules, because applying changes is costlier after deployment.

For more information, see Improving your compliance score.

If your application includes custom Java or custom HTML written by your project team, there are special tasks you must perform to secure that code.

For more information, see:

• Security Checklist for custom code.

Not all security tasks are required for all applications or releases

It’s important to understand the nature of the application and how it will be deployed when reviewing the Security Checklist tasks – these tasks are not required for all applications:

• Security Checklist core tasks are critical and should be performed for every application.
• Security Checklist additional tasks may or may not be required, depending on what Platform features your application uses, how much you customize a Pega application, the amount of sensitive data created and stored within the application, and other factors.
• Special considerations apply for public-facing applications, where not all users are your employees.

  For more information, see Basic requirements for deploying public-facing applications.

• Your choice of deployment environment also determines which tasks you need to complete. Pega Cloud configures most deployment environment security for you automatically.

  For more information, see:

  • Security Checklist when deploying on Pega Cloud.
  • Security Checklist when deploying in on-premises environments.