Requirements for securing an application

To secure the rules in your application, perform the following tasks: 

• Verify that properties are of the correct type, such as integers or dates, instead of just text. 
• Run the Rule Security Analyzer and address any identified issues. 
• Resolve any security issues found in the Guardrail report. 

Before promoting an application from the development environment, lock each ruleset version, except for the production ruleset. Additionally, secure the ability to add versions, update versions, and update the ruleset rule itself by entering three distinct passwords on the security tab of the ruleset record. However, if you are using Pega Deployment Manager for automatic deployment, locking the rulesets needs additional considerations.

If documents can be uploaded into the application, perform the following tasks: 

• Install a virus checker to enforce which files can be uploaded. Use an extension point in the CallVirusCheck activity to ensure that a virus checker is installed. 
• Restrict file types by adding a When rule or decision table to the SetAttachmentProperties activity to evaluate whether a document type is allowed. 

Verify that the authorization scheme is implemented and has been thoroughly tested to meet requirements. Ensure that the production level is set to an appropriate value in the System record. For the production environment, set the production level to 5. The production-level value affects Rule-Access-Role-Obj and Rule-Access-Deny-Obj rules, which control the classes that can be read and updated by a requestor with an access role. If this setting interferes with valid user needs, add focused Rule-Access-Role-Obj rules that allow access instead of lowering the production level. 

Enable the security policies in your application: in the header of Dev Studio, click Configure > Org & Security > Authentication > Security Policies. Security Policies are compatible with the following Authentication Types:

• Basic Credentials
• SAML 2.0
• OpenID Connect

If additional security policies are required, add a validation rule. Set appropriate time-outs at the application server level, requestor level, and access group level. 

Collaborate with the application security team and external system teams to ensure that connectors and services are appropriately secured. 

If your installation of Pega Platform was deployed in secured mode from the very beginning, users are disabled by default. If your installation was not deployed in secure mode, you should disable any unused users. Then, enable security auditing for changes to operator passwords, access groups, and application rules. 

Review the Unauthenticated access group to ensure that it has the minimum required access to rules. 

Configure the dynamic system settings as described in the Security Checklist for a production environment. 

When deploying an application to an environment other than development, limit or block functionality for certain features and remove unnecessary resources. Default settings expose an application to risks because they provide a known starting point for intruders. Removing defaults reduces overall risk dramatically. 

Make the following changes to default settings:

• Rename and deploy prweb.war only on nodes requiring it. Knowing the folder and content of prweb.war is a high-security risk as it provides access to the application. 
• Remove any unnecessary resources or servlets from the web.xml. Rename default servlets where applicable, particularly PRServlet and PRAuth.
• Rename prhelp.war and deploy it on a single node per environment.

Ensure that the system has been set up using a JDBC connection pool approach through the application server, rather than setting up the database in the prconfig.xml file. 

Limit the capabilities and roles available to the PegaRULES database account on environments other than development, to reduce additional features that truncate tables, create or delete tables, or otherwise alter the schema. This limitation on features and roles might cause the View/Modify Database Schema tool to operate in read-only mode. 

Check your knowledge with the following interaction: