Rule Security Analyzer tool
The Rule Security Analyzer tool identifies potential security risks in your Pega Platform™ application that can introduce vulnerabilities to attacks, such as cross-site scripting (XSS) and SQL injection. These vulnerabilities typically occur in non-autogenerated Rules, such as stream Rules (HTML, JSP, XML, or CSS) and custom Java or SQL statements.
To detect these risks, the Rule Security Analyzer scans non-autogenerated Rules and compares each line of code against regular expression Rules. The tool examines text, HTML, JavaScript, and Java code in function Rules and individual Java method steps in activities. The Rule Security Analyzer scans the following Rule Types:
- HTML
- Control
- Harness
- SectionHTML Fragment
- Flow Action
- Paragraph
- Text File
- Function
- Activity
- ListView
- Correspondence Fragment
- Correspondence
The Rule Security Analyzer searches for vulnerabilities by matching code against regular expressions defined in Rule Analyzer Regular Expressions Rules. Several sample Rules are provided to help you detect common vulnerabilities. You can also create your own regular expression Rules to search for additional patterns.
Run the Rule Security Analyzer tool regularly during development and testing to verify application security. For best results, run the tool multiple times, each time using a different regular expression Rule to identify and fix potential vulnerabilities.
注: Only trained security staff should review the output of the Rule Security Analyzer tool. These reviewers are better equipped to identify false positives and remediate Rules that contain actual vulnerabilities.
Run the Rule Security Analyzer before locking a Ruleset to identify and correct issues in Rules before they are locked. The tool typically completes its scan in a few minutes.
For more information about the Rule Security Analyzer, see Analyzing security vulnerability, Implementing security guidelines for custom HTML, and Regular Expression Rules.
Integration with Deployment Manager
The Rule Security Analyzer integrates with continuous integration and continuous delivery (CI/CD) pipelines through the Deployment Manager service. During the Quality Assurance Stage of the deployment pipeline, the tool runs automatically to identify security vulnerabilities before applications are released to higher environments. This integration makes security assessments part of continuous integration.
The Rule Security Analyzer now categorizes vulnerabilities as either critical or non-critical:
Critical vulnerabilities automatically fail the deployment pipeline task to prevent unsafe content from progressing. Examples include:
- Unfiltered user input used directly in HTML output
- Unsanitized SQL queries that could allow injection attacks
- Dangerous JavaScript eval() functions with user-controllable input.
Non-critical vulnerabilities enable the deployment to continue but include warnings for stakeholders to review and address. Examples include:
- Deprecated security methods that have more secure alternatives
- Potential information disclosure in error messages
- Insecure configuration settings that could be improved
Improved reporting capabilities
The deployment report provides detailed information about detected vulnerabilities:
- Rule name and type
- Ruleset and version information
- Specific vulnerability details
- Suggested remediation approaches
Security excellence webinar
For additional details about security design, see the Security excellence webinar.
Check your knowledge with the following interaction:
このトピックは、下記のモジュールにも含まれています。
トレーニングを実施中に問題が発生した場合は、Pega Academy Support FAQsをご確認ください。