Skip to main content

Challenge

Identifying and mitigating security risks

Identifying and mitigating security risks

2 Tasks

30 mins

 Visible to: All users Applies to: Pega Platform '25
Advanced
English

Scenario

The MDC Delivery Service application is preparing to go live. Perform a comprehensive security review before promoting the application to production. Assess and remediate any discovered security risks in accordance with Pega Platform™ security standards.

Conduct a security review of the MDC Delivery Service application using the updated Pega Platform security checklist. Identify risks, recommend remediations, and compile a list of configuration tasks for changes that cannot be implemented in the development environment. Perform these tasks after promoting the application to other environments.

The following table provides the credentials you need to log in to the Delivery Service application. However, this challenge is primarily intended to evaluate design options, and there are no specific implementation tasks.

Role User name Password
Admin admin@deliveryservice rules

You must initiate your own Pega instance to complete this Challenge.

Initialization may take up to 5 minutes so please be patient.

Detailed Tasks

1 Tasks to perform on the development environment

  1. Deactivate unnecessary default operators.
  2. Change passwords for all active out-of-the-box operators to prevent exploitation of default credentials.
  3. Review the Unauthenticated Access Group to ensure it has the minimum required access to rules, following the principle of least privilege.
  4. Apply privileges to all relevant Rules, including Flow Actions, reports, and flows, to enforce role-based access control (RBAC).
  5. Address any issues identified by the Security Analyzer to resolve Rule-level vulnerabilities.
  6. Fix any security issues identified in the Guardrail report.
    Note: Guardrail-compliant applications contain only autogenerated code, which helps prevent Cross-Site Scripting (XSS) vulnerabilities. Review the Guardrails landing page weekly as a core security practice.
  7. Ensure that timeouts at the application server, requestor, and Access Group levels are set to appropriate durations to reduce session hijacking risks.
  8. Configure the prconfig/suppressInserts/default and prconfig/includeParameterPage/default dynamic system settings (DSS) to omit parameter values in prepared statement inserts.
    Note: This configuration prevents potentially sensitive data values (for example, customer account numbers and Social Security numbers) from displaying in the Alert log file.
  9. Ensure that properties use the correct type (for example, integers and dates, not just text) to prevent injection vulnerabilities caused by improper type handling.
  10. Encrypt sensitive data in Pega Platform data stores by encrypting entire classes or individual property values to protect against data exposure.
  11. In each Ruleset version, on the Security tab, select the Lock this Version checkbox and enter a password to prevent unauthorized modifications.
  12. In each Ruleset Rule, on the Security tab, select the Use checkout? checkbox and enter three distinct passwords to limit the ability to add versions, update versions, and update the Ruleset Rule itself.
  13. Ensure that connectors and services have suitable security measures in place.
  14. Ensure all default service packages and custom authentication services are properly secured.
  15. Set up Cross-Origin Resource Sharing (CORS) policies to secure access to your application's REST services from external systems.
  16. Enable Cross-Site Request Forgery (CSRF) protection to prevent unauthorized actions in authenticated user sessions.
  17. Configure the new security/csrf/blockCSRFNonAjaxGet DSS to true to add validation for non-AJAX GET requests that use SafeURL objects.
  18. If the application allows document uploads, ensure that a virus checker is installed.
  19. Ensure that file types are restricted to prevent malicious file uploads.
  20. Enable Pega Runtime Application Self-Protection (RASP), available for Pega Cloud 3 users and containerized client-managed deployments, to protect the application from Java injection attacks in real time.
    Unlike traditional pattern-based mitigation techniques, RASP is an instrumentation-based approach that can prevent sophisticated, novel attack methods.
  21. If the application connects to external repositories such as Amazon S3, Microsoft Azure Blob Storage, or Google Cloud Platform (GCP), configure Identity Federation.
    Note: This feature is available in client-managed environments. Identity Federation eliminates the need to manually enter or maintain access key IDs and secret access keys in Dev Studio. It also allows secrets to be rotated within the cloud provider's secret store without updating the Pega system.

2 Tasks to perform outside of the development environment

  1. In the system record, set the production level to 5 for the production environment.
  2. Update Configuration Sets appropriate to the environment.
  3. Update prconfig settings to reflect production requirements.
  4. Update the DSS.
  5. Remove any unnecessary resources or servlets from the web.xml file.
  6. Rename default servlets where applicable, particularly PRServlet and PRAuth.
  7. If using HTTPS, ensure that testing environments are available to test with SSL enabled.
  8. Ensure the system has been set up using a JDBC connection pool through the application server, rather than the database being configured in the prconfig.xml file.
  9. Rename and redeploy the prweb.war for each node.
  10. On the Security Policies landing page, enable security policies for CSRF and CORS settings.
  11. Define a Content Security Policy (CSP) to specify allowed resource loading locations for the user's browser.
    Note: For Constellation applications, use the default pyConstellationSecured CSP. This policy is preconfigured with recommended settings and is automatically assigned in Report-only mode when a new application is created.
  12. If the application uses third-party Web Embeds, add the Web Embed domain as an exception to the CSP.
  13. Ensure logging levels are appropriate for production by setting them to INFO or lower to reduce security risks and limit log file details.
  14. Perform weekly monitoring of the Guardrails landing page to proactively identify and address security issues.
  15. Use Pega auditing features to support security event monitoring.
    Note: Pega Platform automatically tracks changes to CSP configurations, authentication policies, failed logins, password changes, and modifications to Rules or data.

Available in the following mission:

Return to mission Continue mission
If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice