Additional tasks in the Security Checklist

The tasks in this checklist are not considered core tasks because:

• They involve changing configuration defaults specified in Pega Platform. These should be acceptable for most organizations and most applications, but your organization’s security policies may require different configurations. Examples are session time-out limits and policies for password format and complexity.
• If you are running a Pega application, they depend on how extensively and in what ways you have customized the application. An example is controlling access to REST services you have added to the application by using strong authentication.

Configure authentication security policies

Configure the following authentication security policies for better user authentications and session management.

Authentication security policies	Benefits
Password format policies	Defend your system against brute force attacks in which a hacker tries thousands of randomly generated credentials or popular passwords from a password dictionary to gain application access.
CAPTCHA policies	Guard passwords against brute force attacks by automated processes.
Session lockout policies	Guard against brute force attacks by locking out operator IDs with too many failed login attempts.
Login attempt auditing policies	Can help identify patterns of suspicious behavior.
Multifactor authentication	Increase identity verification by requiring a second, one-time passcode that is sent to the operator from a separate device or account.
Operator access policies	Automatically disable operator IDs that are inactive after a specified period of time.

Configure authentication time-outs

Set an appropriate authentication time-out for each access group according to corporate standards. Configure this setting on the Advanced tab of the Access Group form. For custom authentication, set this time-out to be longer than the time-out in the external authentication service.

For more information, see Configuring security settings for an access group.

Secure database connections

Secure your database connections.

In the Records Explorer of Dev Studio, expand the SysAdmin category, and then click Database and open the database instance.

On the Database tab, in the How to connect field, select use JDBC Connection Pool setting. This setting allows the Pega Platform application to access databases through a Java Naming and Directory Interface (JNDI) server. Avoid using the Use configuration in Preferences setting to define databases, because it displays credentials in the database as clear text.

Limit the capabilities and roles in the Pega Platform database account to restrict the ability to truncate tables, create or delete tables, or otherwise alter the schema. This limit on capabilities and roles might cause the View/Modify Database Schema tool to operate in read-only mode.

For more information, see Creating database data instances.

For more information, see .

Audit changes to application data

Enable field-level auditing in History- tables, where appropriate, to track changes to key sensitive class properties.

For more information, see Enabling security auditing for a data class or rule type.

Audit other types of user and developer actions

Configure security event logging to track user and developer actions that might be unauthorized or indicate suspicious patterns of behavior. If a security violation or breach occurs, the log can help you determine the level of exposure and risk, and identify remedial actions.

For more information, see Selecting a security event to monitor.

If you are deploying on Pega Cloud, for more information, see:

• Accessing server logs by using Kibana
• Streaming Pega logs to Splunk

Test monitoring and analyzing security events and alerts

Define the process for routinely monitoring security events and alerts in production for your application. Test that process by intentionally generating events and alerts to verify that your process identifies and responds to them in a timely manner.

If your application includes custom Java or custom HTML written by your project team, there are special tasks you must perform to secure that code.

Eliminate vulnerabilities in custom code

Run the Rule Security Analyzer weekly to search through custom (non-autogenerated) code in your rules. This utility finds specific JavaScript or SQL coding patterns that might indicate a security vulnerability.

Remove vulnerabilities immediately to avoid wasting time refactoring and retesting your work.

For more information, see:

• Implementing security guidelines for custom HTML.
• Analyzing security vulnerability search results.

Configure rules appropriately

When creating rules:

• Limit the capabilities and roles that are available to the Pega Platform database account to reduce additional capabilities to truncate tables, create or delete tables, or otherwise alter the schema. This limit on capabilities and roles might cause the View/Modify Database Schema tool to operate in read-only mode
• Apply the correct type for all properties
• Review the unauthenticated access group to make sure that it has the minimum required access to rules.

If your application includes custom Java or custom HTML written by your project team, there are special tasks you must perform to secure that code.

Secure HTML if it exists in your application

Keep your application guardrail-compliant and do not include custom (non-autogenerated) HTML. However, if you do include custom HTML, follow Pega guidelines to minimize security vulnerabilities in your application.

For more information, see Security guidelines for custom HTML.

Configure authentication to mirror production

Configure the system to mirror the production authentication scheme. If testing authentication via a browser, verify that all client updates and patches are applied. Also, clear the browser’s password history and disable the browser’s AutoComplete/Autofill feature.

For more information, see Implementing security guidelines for test environments.

Define appropriate access control for client personal info

Use client-based access policies to define what application data is subject to data privacy regulations like GDPR and how access to that data will be handled.

Secure access to servlets

Use Servlet Management to add, modify, and disable the servlet configurations.

For more information, see Servlet management.

Securely configure SAML authentication

SAML authentication services must be configured so that logins will not succeed when, during login, an unsigned assertion is received by Pega Platform from the identity provider during login.