Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      


Updated on July 1, 2021

Pega Platform protects you against a wide variety of security risks, whether inadvertent or malicious. Use the platform features related to authentication, authorization, and auditing to protect and monitor the use of your application.

Security basics

Security failures can expose your organization to severe consequences, such as a negative perception of your organization’s reputation, customer loss, lack of customer trust, and potential legal and financial penalties.

Goal of security

The goal of security is to maintain availability, integrity and confidentiality. This goal is primarily accomplished by implementing authentication, authorization, and auditing. When confidentiality is compromised, unauthorized individuals gain access to systems or data. When integrity is compromised, unauthorized individuals can modify systems or data. When availability is compromised, unauthorized individuals can cause disruption of application or web availability, affecting access timing and uninterrupted access.

Pega Platform security features

Pega Platform provides powerful capabilities for implementing security in your applications, especially when you deploy guardrail-compliant applications. The Pega Platform model-driven architecture helps you to secure applications in most cases by configuring built-in features, and you do not need to rely on custom code built by developers who are not security experts.

Other Pega Platform security components

In addition to features that explicitly accomplish authentication, authorization, and auditing, other Pega Platform components represent important policies, assets, and safeguards to use with these features.

Certificate, key, and token management
The management of these important assets is critical to the secure functioning of other security features.
Confidentiality and encryption
The confidentiality of your sensitive data at rest, in transit, and in use is extremely important. Pega Platform uses state-of-the-art encryption features that allow you to secure sensitive information at any point in a business process.
Virus checking
Pega Platform allows your application to link to a third-party virus checking program before processing any email or attachment.
Content security policies (CSP)
Use CSP to lock down your application to mitigate the risk of content injection vulnerabilities (such as cross-site scripting) and reduce the privileges required to run your application. Pega Platform only sends these headers on dynamic content requests, not static content requests.
For more information, see:
  • Security foundations

    Security and privacy are concerns at the forefront of every organization. Understanding security foundations better help you to implement a comprehensive security solution.

  • Security Checklist

    The Security Checklist provides Pega's leading practices for securely deploying applications. To assist you in tracking the completion of the tasks in the Security Checklist, Pega Platform™ shows the overall completion on the Dev Studio Home page, and built-in ways to track the status of each task.

  • Authentication

    Apply authentication methods to ensure that only users and systems with a verified identity can access your applications, web pages, APIs, and data. Authentication in Pega Platform includes user logins, platform requests to external. services, and external service requests to Pega Platform You can also authenticate by using an external identity provider.

  • Authorization

    Authorization ensures that after logging in, users have access to only the features and data that they need for their work. Pega Platform offers three types of authorization: role-based access control, attribute-based access control, and client-based access control. You can use these authorization features together to provide the strictest level of control.

  • Auditing

    With Pega Platform, you can track many types of security events, such as failed logins, password changes, and changes to rules and data. By tracking all of these events, you can understand how your system functions and detect any potential problems.

  • Mitigate common (OWASP Top 10) security vulnerabilities

    Pega Platform offers policies on the Security Policies landing page, as well as additional security restrictions that control cross-site request forgery (CSRF), content security policies (CSP), cross-origin resource sharing (CORS), and others. Use these features to ensure that your system is as secure as possible.

  • Security in App Studio

    To increase system usability and better accommodate multi-functional teams, some parts of the security framework are now available in App Studio.

  • Secure your application user interface

    As a security administrator, you permit or restrict groups of users to access various actions in an application, such as having access to a case type, flow action, or button.

  • Verify requests at the application layer

    Pega Platform protects access to information in your application by using role-based settings and access control policies. Pega Platform provides additional request verification when you use autogenerated controls.

  • Security operations

    Beyond authentication, authorization, and auditing, Pega Platform offers many other configurable security features, such as encryption, HTTP response headers, and Web Service Security profiles. Use these features to ensure that your application is as secure as possible.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us