Security Checklist
The Security Checklist provides Pega's leading practices for securely deploying applications. To assist you in tracking the completion of the tasks in the Security Checklist, Pega Platform™ shows the overall completion on the Dev Studio Home page, and built-in ways to track the status of each task.
Pega takes application and system security extremely seriously. Security is a shared responsibility between Pega and our clients.
Each successive release of Pega Platform augments the security features and capabilities available to harden applications and systems against improper access and to protect the data that those applications manage.
The Security Checklist is the key feature of Pega Platform that assists clients in hardening their applications and systems. The Security Checklist does the following:
- Provides Pega's leading practices for securely deploying applications.
- Helps protect the confidentiality, integrity, and availability of your application in production.
- Identifies when each task should be performed: at or near the beginning of development, on an ongoing basis, or just before deployment.
- Helps avoid expensive rework late in your development process.
To assist you in tracking the completion of the tasks in the Security Checklist, Pega Platform automatically installs an application guideline rule instance that includes the tasks in the Security Checklist for each version of your application.
For more information, see Assessing your application using the Security Checklist.
Security is critical
Inadequate security can prevent your application from being deployed in two ways:
- Most clients need approval from the IT security group who review the application’s security before the project team can put the application into production.
- If a client is building their application with Deployment Manager, the application will be blocked if the Security Checklist has not been completed.
Your responsibility as an administrator, senior system architect, or lead system architect is to ensure the confidentiality, integrity, and availability of your application. Unauthorized individuals should not be able to access or modify the application or the data it creates and stores. Further, users should only have access to those application functions and data that are necessary to perform their jobs.
Prepare to complete the Security Checklist
At the beginning of application development, determine who is responsible for verifying the completion of the tasks in the Security Checklist, and assign clear responsibility for each task to the Security Administrator.
- Determine who is responsible for this Checklist
- Determine who will be responsible for the checklist. This individual will create user stories for each item in the Security Checklistand assign them to developers responsible for completing those tasks. For more information, see Creating stories from the Security Checklist.
- When work is assigned to a user, they must pick up and complete the work. For more information, see Changing statuses of work items.
- Once the work has been completed, each task in the checklist can be marked as completed.
Completion of tasks
Each item in the Security Checklist can be spun off as a user story, or task, and assigned to an application developer. Users can see the stories assigned to them in Agile workbench.
Independent security assessment
An independent assessment of your application’s security, and sign-off of that assessment, is always recommended and is required by most organizations’ IT Security groups.
Guardrail compliance: the basis of a secure application
The most important security requirement for all Pega Platform applications is to maintain guardrail compliance. Pega Platform security features cannot always be successfully enforced in custom code.
Use the built-in security configuration features in Pega Platform to protect your application, and do not rely on custom code built by developers who are not security experts.
Review the Application Guardrails landing page weekly and make changes to keep your application rules in compliance.
Do not wait until deploying your application to eliminate non-compliant rules, because applying changes is costlier after deployment.
For more information, see Improving your compliance score.
If your application includes custom Java or custom HTML written by your project team, you must perform special tasks to secure that code.
For more information, see:
Not all security tasks are required for all applications or releases
It’s important to understand the nature of the application and how it will be deployed when reviewing the Security Checklist tasks – these tasks are not required for all applications:
- Security Checklist core tasks are critical and should be performed for every application.
- Security Checklist additional tasks may be required, depending on what Platform features your application uses, how much you customize an application, the amount of sensitive data created and stored within the application, and other factors.
- Special considerations apply for public-facing applications, where not all
users are your employees.
For more information, see Basic requirements for deploying public-facing applications.
- Your choice of deployment environment also determines which tasks you need
to complete. Pega Cloud configures most deployment environment security for
you automatically.
For more information, see:
- Creating stories from the Security Checklist
The first item of the Security Checklist is Determine who is responsible for this Checklist. Whoever is responsible for the Security Checklist needs to assign each item as a story to the individual who will complete each checklist task.
- Security Checklist core tasks
The Security Checklist provides Pega's leading practices for securely deploying applications. To assist you in tracking the completion of the tasks in the Security Checklist, Pega Platform shows the overall completion on the Dev Studio Home page, and built-in ways to track the status of each task.
- Security Checklist additional tasks
These tasks are not part of the core Security Checklist because they do not apply to all applications. You should review these additional tasks and determine if they apply to your application.
- Security Checklist when deploying on Pega Cloud
For applications deployed on Pega Cloud services, there are additional considerations you should address when completing the Security Checklist.
- Security Checklist when deploying in on-premises environments
When you are deploying on-premises, there are additional considerations you should address when completing the Security Checklist.
- Assessing your application using the Security Checklist
Use the Security Checklist to prepare your application for deployment. By completing the tasks on this checklist, you can safeguard sensitive data and improve the security of your application.
- Adding the Security Checklist to an application created before 7.3.1
The Security Checklist is automatically added to applications starting in Pega Platform 7.3.1. You can manually add the Security Checklist to applications that were created in earlier versions. By completing the tasks on the checklist, you can improve the security of your application.
- Implementing security guidelines for test environments
As a best practice, configure the application server in your test environment so it mirrors a production environment configuration.
Previous topic Cookie usage in Pega software Next topic Creating stories from the Security Checklist