For applications deployed on Pega Cloud services, there are additional considerations you should address when completing the Security Checklist.
- Certificate management practices for developing applications to run in Pega Cloud
- Pega Cloud secures inbound interfaces in AWS deployment regions using Amazon ACM root Certificate Authorities (CAs). Modern operating systems and browsers use the Amazon Trust Services CAs by default; if you use an older software or your application is using a custom trust store or certificate store, you must add Amazon Trust Services CAs to ensure seamless connectivity to Pega Cloud.
- Due to the dynamic nature of certificates used in Pega Cloud, Pega recommends that source systems and your applications that interact with Pega Cloud environments do not use certificate pinning. This policy aligns with Amazon and Google best practices.
- Pega recommends that source systems and your applications that interact with Pega Cloud environments adopt the use of a common alternative to certificate pinning known as Certificate Transparency (CT). For details, see How CT fits into the wider Web PKI ecosystem.
If your application uses certificate pinning to leaf or intermediate certificates, please update your application to pin to all Amazon root certificates or adopt CT practices by April 10, 2023. By doing this, you can avoid any service issues that can occur during an automated certificate renewal by Pega or AWS. This request aligns with the AWS certificate manager best practices for certificate pinning; to review the latest certificates in use, review the Root CA Certificate Information section of Amazon trust services Certification Authorities repository.
Secure file uploads
Pega Cloud implements virus scanning to ensure the integrity of our service, but clients are responsible for mitigating the impacts malware can have on users, applications, and data.
If documents can be uploaded into your application on Pega Cloud, we recommend you secure them as follows:
- Use a virus checker to check the files that can be uploaded.
- Regularly update your virus checker to enable detection of new viruses.
- Restrict the file type by adding a when rule or a decision table to the SetAttachmentProperties activity to evaluate whether a document type is allowed. If a file type is not allowed (evaluated as false), you can set up a message on the step page that stops the save attachment activity from being performed.
- Verify that the XML/AllowDocTypes dynamic system setting is set to false.
Follow security leading practices for development and testing
The following recommendations are proposed around data used for testing:
- Select test data carefully to ensure that it is protected and controlled through your application authorization and access controls.
- Be mindful of the data you elect to import into sandbox environments (for development and testing purposes).
- Recognize that developers and testers commonly have elevated privileges in “lower” (sandbox) environments and that your users, not Pega, grant and maintain the application privileges.
- If you elect to persist sensitive data to sandbox environments, consider log file implications and check that they do not expose sensitive data.
- Ideally, create test data in a generic form with no relation to live system
data. In the exception where live data is needed to perform accurate
testing, the live data should be:
- Anonymized as far as possible.
- Carefully selected and secured for the period of testing.
- Securely deleted after you complete your testing.
- Alternatively, you may also consider:
- Using a production mirror sandbox, which provides an architectural replica of a your scaled production environment (rules and data) and which can be used for production staging and testing, scale benchmark testing, and load performance testing.
- Performing a Pega product file export/import operation to build a production-like equivalent of your current applications. This will not transfer any of your data but will transfer all rules and schema – and will effectively duplicate your service without including production data.
- Ensure that your developers are informed of and adhere to your organization’s internal security practices pertaining to protecting or masking sensitive data used within your Pega application.
If you are not deploying on Pega Cloud, see Security Checklist when deploying in on-premises environments.