Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

This content has been archived and is no longer being updated.

Links may not function; however, this content may be relevant to outdated versions of the product.

Security Checklist additional tasks

Updated on July 1, 2021

These tasks are not part of the core Security Checklist because they do not apply to all applications. You should review these additional tasks and determine if they apply to your application.

Additional tasks in the Security Checklist

The tasks in this checklist are not considered core tasks because:

  • They involve changing configuration defaults specified in Pega Platform. These should be acceptable for most organizations and most applications, but your organization’s security policies may require different configurations. Examples are session timeout limits and policies for password format and complexity.
  • If you are running a Pega application, they depend on how extensively and in what ways you have customized the application. An example is controlling access to REST services you have added to the application by using strong authentication.

Securely authenticate REST API requests

Ensure that login attempts, and attempts to access data or functions through application services, are correctly authenticated and are from known, trusted users and systems.

For more information, see Authentication services.

Configure authentication security policies
Configure the following authentication security policies for better user authentications and session management:
Authentication security policiesBenefits
Password format policiesDefend your system against brute force attacks in which a hacker tries thousands of randomly generated credentials or popular passwords from a password dictionary to gain application access.
CAPTCHA policiesGuard passwords against brute force attacks by automated processes.
Session lockout policiesGuard against brute force attacks by locking out operator IDs with too many failed login attempts.
Login attempt auditing policiesCan help identify patterns of suspicious behavior.
Multifactor authenticationIncrease identity verification by requiring a second, one-time passcode that is sent to the operator from a separate device or account.
Operator access policiesAutomatically disable operator IDs that are inactive after a specified period of time.

For more information, see Managing security policies.

Configure authentication time-outs
Set an appropriate authentication time-out for each access group according to corporate standards. Configure this setting on the Advanced tab of the Access Group form. For custom authentication, set this time-out to be longer than the time-out in the external authentication service.

For more information, see Configuring security settings for an access group.

Secure database access
Secure your database connections.
In the Records Explorer of Dev Studio, expand the SysAdmin category, and then click Database and open the database instance.
On the Database tab, in the How to connect field, select use JDBC Connection Pool setting. This setting allows the Pega Platform application to access databases through a Java Naming and Directory Interface (JNDI) server. Avoid using the Use configuration in Preferences setting to define databases, because it displays credentials in the database as clear text.
Limit the capabilities and roles in the Pega Platform database account to restrict the ability to truncate tables, create or delete tables, or otherwise alter the schema. This limit on capabilities and roles might cause the View/Modify Database Schema tool to operate in read-only mode.

For more information, see Creating database data instances.

For more information, see Service Wizard: Configure Data Records.

Audit changes to application data
Enable field-level auditing in History- tables, where appropriate, to track changes to key sensitive class properties.

For more information, see Enabling security auditing for a data class or rule type.

Audit other types of user and developer actions
Configure security event logging to track user and developer actions that might be unauthorized or indicate suspicious patterns of behavior. If a security violation or breach occurs, the log can help you determine the level of exposure and risk, and identify remedial actions.

For more information, see Selecting a security event to monitor.

If you are deploying on Pega Cloud, for more information, see:

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us