Security Checklist review

Perform the following actions to define the security of your application during development:

• Address Security alerts promptly. 
  • Examples of security alerts include: 
    • SECU0001 - Unexpected properties received in an HTTP request
    •  SECU0019 - Unauthorized request detected
• Securely authenticate attempts to access services.
  • To configure a stronger authentication mechanism that matches your organization’s requirements, use a custom Authentication Service.
  • To build authenticated custom REST services, use a custom Service Package that employs a suitable authentication mechanism in line with your organization’s requirements. 
• Define appropriate roles and privileges to restrict access.
• Appropriately encrypt data.
  • Encryption is a method to safeguard sensitive data within your application without impacting the functionality of the Pega Platform. 
  • Encryption uses a cipher algorithm to transform readable text (plaintext) into an unreadable secret format (ciphertext). The ciphertext can only be decrypted using the correct encryption key. 
• Review the Application Guardrails landing page weekly and make changes to keep your application Rules in compliance. 

Perform the following actions to define the security of your application during the production phase:

• Set the system production level to 5.
• Lock Rulesets.
• Do not deploy checked-out Rules.
• Block unnecessary roles and operators from production.
• Secure passwords.
• Configure application settings and system settings for production .
• Configure cross-site request forgery (CSRF) settings.
• Define appropriate Content Security Policies.
• Define appropriate Cross-Origin Resource Sharing (CORS) policies for REST services.
• Configure logging levels appropriately.
• Define and map authentication services to the application.

The following settings do not apply to all applications, but depend on client needs and are application-specific:

• Password format policies
• CAPTCHA policies
• Session lockout policies
• Login attempt auditing policies
• Multifactor authentication 
• Operator access policies
• Configuration of authentication timeouts
• Secure Database access
• Audit changes to application data
• Configuration of security event logging

For applications on Pega Cloud® services, you must address additional considerations when completing the Security Checklist:

• Best Practices: Adhere to the Pega Security Checklist, focusing on:
  • Encryption: Use BLOB or property encryption and envelope encryption with client-managed keys.
  • Authentication: Implement secure methods such as OAuth.
  • Testing: Conduct various tests, in line with organizational policies.
• Certificate Management:
  • Avoid certificate pinning; instead, adopt Certificate Transparency to ensure seamless connectivity.
  • Regularly update applications to pin to Amazon root certificates.
• Secure File Uploads:
  • Implement virus scanning and restrict file types.
  • Regularly update virus checkers and ensure proper settings to prevent unauthorized file uploads.
• Development and Testing:
  • Use sample data in non-production environments, ensuring that no sensitive information is present.
  • Anonymize live data if necessary and securely delete it post-testing.

For more information, see Security checklist.
 

Check your knowledge with the following interaction: