Pega Platform offers policies on the Security Policies landing page, as well as additional security restrictions that control cross-site request forgery (CSRF), content security policies (CSP), cross-origin resource sharing (CORS), and other types of vulnerabilities. Use these features to ensure that your system is as secure as possible.
According to their official site, the OWASP Top 10 is a standard awareness document for developers and web application security specialists. It represents a broad consensus about the most critical security risks to web applications.
Pegasystems uses the 2017 OWASP Top 10 Web Application Security Risks as a means of focusing on the most effective steps towards producing more secure code and applications.
OWASP Top 10 Web application security risks
The 2017 OWASP Top 10 Web application security risks include the following:
- Injection: Pega Platform prevents execution of unintended commands or access to data without proper authorization. For more information, see:
- Broken authentication: Pega Platform can prevent authentication and session management from being implemented incorrectly. For more information, see:
- Sensitive data exposure: Pega Platform aids in proper configuration to protect sensitive data. For more information, see:
- XML external entities (XXE): Older or poorly configured XML processors evaluate external entity references within XML documents. Pega Platform follows leading practices in all of our code, in which XML parsing prevents XXE. As part of the security development life cycle (SDLC), Pega Platform has code scanners that check new or modified code and merges it into the repository. Through this process, bad code is blocked from the repository and must be addressed before the merge can be complete.
- Broken access control: Pega Platform restricts what authenticated users are allowed to do and the policies surrounding user access as properly enforced. For more information, see Using Access Control Checks.
- Security misconfiguration: As the most common security issue, Pega Platform applications must be securely configured and updated and patched in a timely fashion. For more information, see:
- Cross-site scripting XSS: Pega Platform includes features to prevent cross-site scripting, a client-side code injection attack, in which an attacker can run malicious scripts on a legitimate website or web application. For more information, see Understanding cross-site scripting.
- Insecure deserialization: Pega Platform allows for proper deserialization, which prevents remote code execution. For more information, see Configuring the deserialization filter.
- Using components with known vulnerabilities: Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. There are several layers related to this issue. The easiest way to combat components with known vulnerabilities is to verify that all of the pieces of your applications are the most up to date, secure versions available. This includes installation of all upgrades and patches. This should also be done with all external services, Pega Platform, and computer operating systems. Pega Platform uses third-party components that also need to be secured. Scanners run in the background that analyze libraries used in the product and see whether those libraries are at risk, which is then reported.
- Insufficient logging and monitoring: Pega Platform has sufficient logging and monitoring coupled with effective incident response. For more information, see:
Cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. CSRF was part of the 2013 OWASP Top 10. Pega Platform continues to provides protections against CSRF. For more information, see Understanding cross-site request forgery
- Configuring the Java injection check
At design time and at run time, Pega Platform checks activities, functions, and stream rules for particular Java injection vulnerabilities.
- Implementing security guidelines for custom HTML
- Compliance with regulatory standards
Regulatory compliance ensures that organizations are aware of and comply with relevant laws, policies, and regulations. Regulatory compliance is when a business follows international and local laws and regulations that are relevant to its operations.
- Using Access Control Checks
Use access control checks to identify broken custom code that must be fixed. During development, it is easy to introduce risks into your application by implementing custom code. By using access control checks, you help proactively fix your code by identifying potential issues.
- Using HTTP response headers
To improve the security of your application against client-based attacks, you can use the HTTP response headers that are supported by your browser.
- Defining cross-origin resource sharing policies
Cross-origin resource sharing (CORS) policies define a method that enables a browser and server to interact and determine whether it is safe to allow a cross-origin request. For example, a client using a Pega Marketing application running in a browser, may see advertisements from third-parties, and if they click one of these advertisements, the CORS policy will record that the advertisement was viewed or clicked on.
- Understanding cross-site scripting
Cross-site scripting is a client-side code injection attack, in which an attacker can run malicious scripts on a legitimate website or web application.
- Configuring the deserialization filter
In Pega Platform, a global filter checks a list of blocked classes that are not allowed to be deserialized. You can add classes to the global deserialization filter to increase the security of your application by preventing unauthorized access.
- Understanding cross-site request forgery