Back Forward About the Rule Security Analyzer

To help you make your PRPC applications more secure, you can run the Rule Security Analyzer. This tool searches through non-autogenerated rules to find specific JavaScript or SQL coding patterns that may indicate a security vulnerability.

To use the analyzer, you need to have the pxSecurityVA privilege in your access group's role. Standard developer roles such as SysAdm4 include this privilege.

Note that:

To access the tool, select > Org and Security > Tools > Security > Rule Security Analyzer. The Search Criteria form appears in a new window.

Completing the Search Criteria form

The form has seven fields, two of which are required. The other fields let you restrict the analysis to a particular subset of the application's rules and code.

Field Description
RuleSets Select one or more RuleSets to analyze.
Rule Types Optional. You can choose one or more rule types within the chosen RuleSet(s) to scan; or make no selection, in which case the tool scans all rule types.
Expression Select the regular expressions rule to use. See Regular Expressions, below.
RuleSet Version Optional. Leave the field blank to have the tool analyze all versions. To limit the analysis, enter major version only ("05"); major and minor version ("05-05"); or major version, minor version, and patch ("05-05-50").
Highest Version Only Select True to scan only the highest version of each rule; select False to scan all versions.
Updated Since Optional. Leave the field blank to not limit the analysis by date. To scan only rules updated after a certain date and time, click the calendar button and enter the date and time to use.
Also list activities that may start unauthenticated If checked, the scan analyzes activities which have May start? checked and Authenticate? unchecked on the Security tab of the Activity rule form.

When you have completed your settings, click Run, or Run and Export all to Excel.The system runs and displays a summary view of the results. See Analyzing the results, below.

Regular expressions

The Rule Analyzer searches for vulnerabilities in code by searching for matches to regular expressions (regex) defined in Rule Analyzer Regular Expressions rules. The system provides these standard regular expressions:

The most effective search for vulnerabilities is to re-run the Rule Analyzer several times, each time matching against a different Regular Expressions rule.

You can supplement the Pega-supplied regular expressions with additional regular expressions you create. See About Regular Expression rules.

Analyzing the results

To examine details of the report, click the + sign to drill down and display the rules in a rule type displaying a total other than 0. Click the rule to open a separate window showing details for that rule type.

If you export to Excel, the system may display a warning that the file ExportData[1].xls is in a different format than is expected. Click Yes to open the file.

Note that a match to the Rule Analyzer Regular Expressions rule does not guarantee that the result constitutes a vulnerability in the code. You must review the results to determine if any matches are false positives.

Definitions regular expression
Related topics About Regular Expression rules
About the Pega-SecurityVA agent

UpTools — Organization and Security