These tasks are not part of the core Security Checklist because they do not apply to all applications. You should review these additional tasks and determine if they apply to your application.
Additional tasks in the Security Checklist
The tasks in this checklist are not considered core tasks because:
- They involve changing configuration defaults specified in Pega Platform. These should be acceptable for most organizations and most applications, but your organization’s security policies may require different configurations. Examples are session timeout limits and policies for password format and complexity.
- If you are running a Pega application, they depend on how extensively and in what ways you have customized the application. An example is controlling access to REST services you have added to the application by using strong authentication.
Securely authenticate REST API requests
Ensure that login attempts, and attempts to access data or functions through application services, are correctly authenticated and are from known, trusted users and systems.
For more information, see Authentication services.
- Configure authentication security policies
- Configure the following authentication security policies for better user
authentications and session management:
Authentication security policies Benefits Password format policies Defend your system against brute force attacks in which a hacker tries thousands of randomly generated credentials or popular passwords from a password dictionary to gain application access. CAPTCHA policies Guard passwords against brute force attacks by automated processes. Session lockout policies Guard against brute force attacks by locking out operator IDs with too many failed login attempts. Login attempt auditing policies Can help identify patterns of suspicious behavior. Multifactor authentication Increase identity verification by requiring a second, one-time passcode that is sent to the operator from a separate device or account. Operator access policies Automatically disable operator IDs that are inactive after a specified period of time.
For more information, see Managing security policies.
- Configure authentication time-outs
- Set an appropriate authentication time-out for each access group according to corporate standards. Configure this setting on the Advanced tab of the Access Group form. For custom authentication, set this time-out to be longer than the time-out in the external authentication service.
For more information, see Configuring security settings for an access group.
- Secure database access
- Secure your database connections.
- In the Records Explorer of Dev Studio, expand the SysAdmin category, and then click Database and open the database instance.
- On the Database tab, in the How to connect field, select use JDBC Connection Pool setting. This setting allows the Pega Platform application to access databases through a Java Naming and Directory Interface (JNDI) server. Avoid using the Use configuration in Preferences setting to define databases, because it displays credentials in the database as clear text.
- Limit the capabilities and roles in the Pega Platform database account to restrict the ability to truncate tables, create or delete tables, or otherwise alter the schema. This limit on capabilities and roles might cause the View/Modify Database Schema tool to operate in read-only mode.
For more information, see Creating database data instances.
For more information, see Service Wizard: Configure Data Records.
- Audit changes to application data
- Enable field-level auditing in History- tables, where appropriate, to track changes to key sensitive class properties.
For more information, see Enabling security auditing for a data class or rule type.
- Audit other types of user and developer actions
- Configure security event logging to track user and developer actions that might be unauthorized or indicate suspicious patterns of behavior. If a security violation or breach occurs, the log can help you determine the level of exposure and risk, and identify remedial actions.
For more information, see Selecting a security event to monitor.
If you are deploying on Pega Cloud, for more information, see: