Security Checklist additional tasks
These tasks are not part of the core Security Checklist because they do not apply to all applications. You should review these additional tasks and determine if they apply to your application.
These additional tasks may be required, depending on what Platform features your application uses, how much you customize a Pega application, the amount of sensitive data created and stored within the application, and other factors.
Additional tasks in the Security Checklist
The tasks in this checklist are not considered core tasks because:
- They involve changing configuration defaults specified in Pega Platform. These should be acceptable for most organizations and most applications, but your organization’s security policies may require different configurations. Examples are session timeout limits and policies for password format and complexity.
- If you are running a Pega application, they depend on how extensively and in what ways you have customized the application. An example is controlling access to REST services you have added to the application by using strong authentication.
- Configure authentication security policies
- Configure the following authentication security policies for better user
authentications and session management.
Authentication security policies Benefits Password format policies Defend your system against brute force attacks in which a hacker tries thousands of randomly generated credentials or popular passwords from a password dictionary to gain application access. CAPTCHA policies Guard passwords against brute force attacks by automated processes. Session lockout policies Guard against brute force attacks by locking out operator IDs with too many failed login attempts. Login attempt auditing policies Can help identify patterns of suspicious behavior. Multifactor authentication Increase identity verification by requiring a second, one-time passcode that is sent to the operator from a separate device or account. Operator access policies Automatically disable operator IDs that are inactive after a specified period of time.
- Configure authentication time-outs
- Set an appropriate authentication time-out for each access group according to corporate standards. Configure this setting on the Advanced tab of the Access Group form. For custom authentication, set this time-out to be longer than the time-out in the external authentication service.
For more information, see Configuring security settings for an access group.
- Secure database connections
- Secure your database connections.
- In the Records Explorer of Dev Studio, expand the SysAdmin category, and then click Database and open the database instance.
- On the Database tab, in the How to connect field, select use JDBC Connection Pool setting. This setting allows the application to access databases through a Java Naming and Directory Interface (JNDI) server. Avoid using the Use configuration in Preferences setting to define databases, because it displays credentials in the database as clear text.
- Limit the capabilities and roles in the Pega Platform database account to restrict the ability to truncate tables, create or delete tables, or otherwise alter the schema. This limit on capabilities and roles might cause the View/Modify Database Schema tool to operate in read-only mode.
For more information, see Creating database data instances.
For more information, see Service Wizard: Configure Data Records.
- Audit changes to application data
- Enable field-level auditing in History- tables, where appropriate, to track changes to key sensitive class properties.
For more information, see Enabling security auditing for a data class or rule type.
- Audit other types of user and developer actions
- Configure security event logging to track user and developer actions that might be unauthorized or indicate suspicious patterns of behavior. If a security violation or breach occurs, the log can help you determine the level of exposure and risk, and identify remedial actions.
For more information, see Selecting a security event to monitor.
If you are deploying on Pega Cloud, for more information, see:
- Test monitoring and analyzing security events and alerts
- Define the process for routinely monitoring security events and alerts in production for your application. Test that process by intentionally generating events and alerts to verify that your process identifies and responds to them in a timely manner.
If your application includes custom Java or custom HTML written by your project team, there are special tasks you must perform to secure that code.
- Eliminate vulnerabilities in custom code
- Run the Rule Security Analyzer weekly to search through custom (non-autogenerated) code in your rules. This utility finds specific JavaScript or SQL coding patterns that might indicate a security vulnerability.
- Remove vulnerabilities immediately to avoid wasting time refactoring and retesting your work.
For more information, see:
- Configure rules appropriately
- When creating rules:
- Limit the capabilities and roles that are available to the Pega Platform database account to reduce additional capabilities to truncate tables, create or delete tables, or otherwise alter the schema. This limit on capabilities and roles might cause the View/Modify Database Schema tool to operate in read-only mode
- Apply the correct type for all properties
- Review the unauthenticated access group to make sure that it has the minimum required access to rules.
If your application includes custom Java or custom HTML written by your project team, there are special tasks you must perform to secure that code.
- Secure HTML if it exists in your application
- Keep your application guardrail-compliant and do not include custom (non-autogenerated) HTML. However, if you do include custom HTML, follow Pega guidelines to minimize security vulnerabilities in your application.
For more information, see Security guidelines for custom HTML.
- Configure authentication to mirror production
- Configure the system to mirror the production authentication scheme. If
testing authentication via a browser, verify that all client updates and
patches are applied. Also, clear the browser’s password history and disable
the browser’s AutoComplete/Autofill feature.
For more information, see Implementing security guidelines for test environments.
- Define appropriate access control for client personal info
- Use client-based access policies to define what application data is subject to data privacy regulations like GDPR and how access to that data will be handled.
Previous topic Security Checklist core tasks Next topic Security Checklist when deploying on Pega Cloud