Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Security Checklist additional tasks

Updated on June 30, 2021

These tasks are not part of the core Security Checklist because they do not apply to all applications. You should review these additional tasks and determine if they apply to your application.

These additional tasks may be required, depending on what Platform features your application uses, how much you customize a Pega application, the amount of sensitive data created and stored within the application, and other factors.

Additional tasks in the Security Checklist

The tasks in this checklist are not considered core tasks because:

  • They involve changing configuration defaults specified in Pega Platform. These should be acceptable for most organizations and most applications, but your organization’s security policies may require different configurations. Examples are session time-out limits and policies for password format and complexity.
  • If you are running a Pega application, they depend on how extensively and in what ways you have customized the application. An example is controlling access to REST services you have added to the application by using strong authentication.
Configure authentication security policies
Configure the following authentication security policies for better user authentications and session management.
Authentication security policiesBenefits
Password format policiesDefend your system against brute force attacks in which a hacker tries thousands of randomly generated credentials or popular passwords from a password dictionary to gain application access.
CAPTCHA policiesGuard passwords against brute force attacks by automated processes.
Session lockout policiesGuard against brute force attacks by locking out operator IDs with too many failed login attempts.
Login attempt auditing policiesCan help identify patterns of suspicious behavior.
Multifactor authenticationIncrease identity verification by requiring a second, one-time passcode that is sent to the operator from a separate device or account.
Operator access policiesAutomatically disable operator IDs that are inactive after a specified period of time.
Configure authentication time-outs
Set an appropriate authentication time-out for each access group according to corporate standards. Configure this setting on the Advanced tab of the Access Group form. For custom authentication, set this time-out to be longer than the time-out in the external authentication service.

For more information, see Configuring security settings for an access group.

Secure database connections
Secure your database connections.
In the Records Explorer of Dev Studio, expand the SysAdmin category, and then click Database and open the database instance.
On the Database tab, in the How to connect field, select use JDBC Connection Pool setting. This setting allows the Pega Platform application to access databases through a Java Naming and Directory Interface (JNDI) server. Avoid using the Use configuration in Preferences setting to define databases, because it displays credentials in the database as clear text.
Limit the capabilities and roles in the Pega Platform database account to restrict the ability to truncate tables, create or delete tables, or otherwise alter the schema. This limit on capabilities and roles might cause the View/Modify Database Schema tool to operate in read-only mode.

For more information, see Creating database data instances.

For more information, see Service Wizard: Configure Data Records.

Audit changes to application data
Enable field-level auditing in History- tables, where appropriate, to track changes to key sensitive class properties.

For more information, see Enabling security auditing for a data class or rule type.

Audit other types of user and developer actions
Configure security event logging to track user and developer actions that might be unauthorized or indicate suspicious patterns of behavior. If a security violation or breach occurs, the log can help you determine the level of exposure and risk, and identify remedial actions.

For more information, see Selecting a security event to monitor.

If you are deploying on Pega Cloud, for more information, see:

Test monitoring and analyzing security events and alerts
Define the process for routinely monitoring security events and alerts in production for your application. Test that process by intentionally generating events and alerts to verify that your process identifies and responds to them in a timely manner.

If your application includes custom Java or custom HTML written by your project team, there are special tasks you must perform to secure that code.

Eliminate vulnerabilities in custom code
Run the Rule Security Analyzer weekly to search through custom (non-autogenerated) code in your rules. This utility finds specific JavaScript or SQL coding patterns that might indicate a security vulnerability.
Remove vulnerabilities immediately to avoid wasting time refactoring and retesting your work.

For more information, see:

Configure rules appropriately
When creating rules:
  • Limit the capabilities and roles that are available to the Pega Platform database account to reduce additional capabilities to truncate tables, create or delete tables, or otherwise alter the schema. This limit on capabilities and roles might cause the View/Modify Database Schema tool to operate in read-only mode
  • Apply the correct type for all properties
  • Review the unauthenticated access group to make sure that it has the minimum required access to rules.

If your application includes custom Java or custom HTML written by your project team, there are special tasks you must perform to secure that code.

Secure HTML if it exists in your application
Keep your application guardrail-compliant and do not include custom (non-autogenerated) HTML. However, if you do include custom HTML, follow Pega guidelines to minimize security vulnerabilities in your application.

For more information, see Security guidelines for custom HTML.

Configure authentication to mirror production
Configure the system to mirror the production authentication scheme. If testing authentication via a browser, verify that all client updates and patches are applied. Also, clear the browser’s password history and disable the browser’s AutoComplete/Autofill feature.

For more information, see Implementing security guidelines for test environments.

Define appropriate access control for client personal info
Use client-based access policies to define what application data is subject to data privacy regulations like GDPR and how access to that data will be handled.
Secure access to servlets
Use Servlet Management to add, modify, and disable the servlet configurations.

For more information, see Servlet management.

Securely configure SAML authentication
SAML authentication services must be configured so that logins will not succeed when, during login, an unsigned assertion is received by Pega Platform from the identity provider during login.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us