When you are deploying on-premises and not on Pega Cloud there are additional considerations you should address when completing the Security Checklist.
- Secure file uploads
Pega Cloud Services environments automatically check uploaded files for viruses. If you do not have a Pega Cloud Services environment and documents can be uploaded into your application, we recommend you secure them as follows:
- Use a virus checker to check the files that can be uploaded. You can use an extension point in the CallVirusCheck activity to check attachments.
- Regularly update your virus checker to enable detection of new viruses.
- Restrict the file type by adding a when rule or a decision table to the SetAttachmentProperties activity to evaluate whether a document type is allowed. If a file type is not allowed (evaluated as false), you can set up a message on the step page that stops the save attachment activity from being performed.
- Verify that the XML/AllowDocTypes dynamic system setting is set to false.
For more information, see:
- Extension points and supporting rules for attachments
- Standard activities — Extension points
- Restricting user actions for case attachments
- Configuring steps in an activity
Perform production testing in a production-like environment
During production testing, configure your application and the test environment to mirror the intended production environment. Otherwise, your testing might not uncover serious security vulnerabilities.
The tasks in this section are not required if you are deploying your application to Pega Cloud, because it automatically performs these tasks.
- Apply patches, updates, and hotfixes
- Install the latest patches and updates to the operating system, application and web servers, proxies, database, and related applications.
- For Pega Platform 8.x releases, you should install the latest patch release. For earlier Pega Platform Releases you should be running the latest version, and planning to upgrade to Version 8.x in the near future.
- Regardless of what release you are running, you should frequently check for any recommended security updates, which are posted at https://collaborate.pega.com/discussion/essential-hotfixes.
- Configure the database and communications to mirror production
- Configure the system and database according to your company’s security policies and to be the same as in production environment to which the application will be deployed. This configuration should include the use of TLS for all communication between clients and the application.
- If you use TLS, remove any cipher suites that have null ciphers. This action prevents the login credentials and password from being sent in clear text format between the client and server even over a TLS connection (if a server and client discover only a null cipher suite in common).
- Configure authentication to mirror production
- Configure the system to mirror the production authentication scheme. Verify that all client updates and patches are applied. When testing authentication from a browser, clear the browser’s password history and disable the browser’s autocomplete or autofill feature.
- Configure the application server to mirror production
- Configure the application server in your test environment to mirror the configuration in your production environment.
For more information, see Security guidelines for test environments.
- Test monitoring and analyzing security events and alerts
- Define the process for routinely monitoring security events and alerts in production for your application. Test that process by intentionally generating events and alerts to verify that your process identifies and responds to them in a timely manner.
- Secure web.xml
- If you are not deploying your application to Pega Cloud, make the following
changes to the web.xml deployment descriptor file:
- Limit or block access to the Pega Platform servlets that support only testing and debugging, including HeapDisplay, SecManServlet, and PRSOAPSimulator.
- Remove unnecessary resources and servlets.
- Set appropriate time-outs at the application server level and requestor level.
- Block access to the prweb/PRServlet servlet, which allows users to log in using the older platform login process instead of the newer PRAuth-based authentication services.
For more information, see Application URL patterns for various authentication service types.
If you are deploying on Pega Cloud, see Security Checklist when deploying on Pega Cloud.