Skip to main content

Identifying and mitigating security risks

2 Tasks

30 mins

 Visible to: All users Applies to: Pega Platform '24.2
Advanced
English

Scenario

MDC's Delivery Service application prepares to go live. A security review is necessary before promoting the application to production, and any discovered security risks need to be reviewed.

Conduct a security review of MDC's Delivery Service application using the security checklist. Offer recommendations to enhance the application's security.

You can implement some changes directly in the development environment, while others require configuration after promoting the application to the production environment. Compile a list of configuration tasks for changes that the development environment cannot implement, to be carried out after promoting the application to other environments.

The following table provides the credentials you need to log in to the Delivery Service application. However, this challenge is mainly meant for evaluating the design options, and there are no specific implementation tasks. 

Role User name Password
Admin admin@deliveryservice rules

You must initiate your own Pega instance to complete this Challenge.

Initialization may take up to 5 minutes so please be patient.

Detailed Tasks

1 Tasks to perform on the development environment

  1. Deactivate unnecessary out-of-the-box operators.
  2. Change passwords for active out-of-the-box operators.
  3. Address any issues identified by the security analyzer.
  4. Fix any security issues in the Guardrail report.
  5. Ensure that timeouts at the application server level, requestor level, and Access Group level have suitable durations.
  6. Configure the prconfig/suppressInserts/default and prconfig/includeParameterPage/default dynamic system settings (DSS) to omit parameter values in prepared statement inserts and prevent potentially sensitive data values, such as customer account numbers and Social Security numbers, from appearing in the Alert log file.
  7. In each ruleset version, on the Security tab, select the Lock this Version checkbox and enter a password.
  8. In each ruleset rule, on the Security tab, select the Use checkout? checkbox and enter three distinct passwords to limit the ability to add versions, update versions, and update the ruleset rule itself.
  9. Ensure that properties are of the correct type (for example, integers and dates, not just text).
  10. Apply privileges across all the relevant rules (flow actions, reports, flows).
  11. Review the Unauthenticated access group to ensure that it has the minimum required access to rules.
  12. Ensure that connectors and services have suitable security measures.
  13. If the application allows document uploads, ensure that a virus checker is installed.
  14. Ensure that file types are restricted.
  15. Ensure all default service packages and custom authentication services are properly secured.
  16. Encrypt sensitive data in Pega Platform data stores by encrypting entire classes or individual property values.
  17. Set up cross-origin resource sharing (CORS) policies to secure access to your application's REST services from external systems.
  18. Enable Cross-Site Request Forgery (CSRF) protection to prevent unauthorized actions in authenticated user sessions.

2 Tasks to perform outside of the development environment

  1. Set the production level to an appropriate value in the System record. Set the production level to 5 for the production environment.
  2. Update Configuration Sets.
  3. Update prconfig settings.
  4. Update dynamic system settings.
  5. Remove any unnecessary resources or servlets from the web.xml file. Rename default servlets where applicable, particularly PRServlet and PRAuth.
  6. If using https, ensure that testing environments are available to test with SSL enabled.
  7. Ensure that the system has been set up using a JDBC connection pool through the application server, rather than the database being set up in the prconfig.xml file.
  8. Rename and redeploy the prweb.war for each node.
  9. Enable security policies.
  10. A production application must have Content Security Policies (CSPs) to specify allowed resource loading locations for the user's browser.
  11. Ensure logging levels are appropriate for production by setting them to INFO or lower to reduce security risks and limit log file details.

Available in the following mission:

Return to mission Continue mission
If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice