Identifying and mitigating security risks

2 Tasks

20 mins

Pega Platform '23

Pega Platform 8.8 Pega Platform 8.6 (English) Pega Platform 8.6 (日本語) Pega Platform 8.6 (Español) Pega Platform 8.5 Pega Platform 8.3.1

Visible to: All users

Advanced Pega Platform '23 English

Scenario

MDC's Delivery Service application prepares to go live. A security review is necessary before promoting the application to production, and any discovered security risks need to be reviewed.

Conduct a security review of MDC's Delivery Service application using the security checklist. Offer recommendations to enhance the application's security.

You can implement some changes directly in the development environment, while others require configuration after promoting the application to the production environment. Compile a list of configuration tasks for changes that the development environment cannot implement, to be carried out after promoting the application to other environments.

The following table provides the credentials you need to log in to the Delivery Service application. However, this challenge is mainly meant for evaluating the design options, and there are no specific implementation tasks. 

Role	User name	Password
Admin	admin@deliveryservice	rules

You must initiate your own Pega instance to complete this Challenge.

Initialization may take up to 5 minutes so please be patient.

• Log In

Detailed Tasks

1 Tasks to perform on the development environment

1. Deactivate unnecessary out-of-the-box operators.
2. Change passwords for active out-of-the-box operators.
3. Address any issues identified by the security analyzer.
4. Fix any security issues in the Guardrail report.
5. Ensure that timeouts at the application server level, requestor level, and Access Group level have suitable durations.
6. Add the <env name="alerts/suppressalerts" value="true" /> setting to the prconfig.xml file to ensure that sensitive property values, such as customer account numbers and Social Security numbers, do not appear in the Alert log.
7. In each ruleset version, on the Security tab, select the Lock this Version checkbox and enter a password.
8. In each ruleset rule, on the Security tab, select the Use checkout? checkbox and enter three distinct passwords to limit the ability to add versions, update versions, and update the ruleset rule itself.
9. Ensure that properties are of the correct type (for example, integers and dates, not just text).
10. Apply privileges across all the relevant rules (flow actions, reports, flows).
11. Review the Unauthenticated access group to ensure that it has the minimum required access to rules.
12. Ensure that connectors and services have suitable security measures.
13. If the application allows document uploads, ensure that a virus checker is installed.
14. Ensure that file types are restricted.

2 Tasks to perform outside of the development environment

1. Set the production level to an appropriate value in the System record. Set the production level to 5 for the production environment.
2. Update Configuration Sets.
3. Update prconfig settings.
4. Update dynamic system settings.
5. Remove any unnecessary resources or servlets from the web.xml file. Rename default servlets where applicable, particularly PRServlet and PRAuth.
6. If using https, ensure that testing environments are available to test with SSL enabled.
7. Ensure that the system has been set up using a JDBC connection pool through the application server, rather than the database being set up in the prconfig.xml file.
8. Rename and redeploy the prweb.war for each node.
9. Enable security policies.

Confirm your work

      

---

---

Available in the following mission:

• Security Design v4