Skip to main content
Verify the version tags to ensure you are consuming the intended content or, complete the latest version.

Security Checklist review

Pega takes application and system security seriously. Security is a shared responsibility between Pega and clients. Each successive release of Pega Platform™ augments the security features and capabilities available to harden applications and systems against improper access and protect the data that those applications manage.

The Security Checklist provides Pega's leading practices for securely deploying applications. To assist you in tracking the completion of the tasks in the Security Checklist, Pega Platform shows the overall completion on the Dev Studio Home page (Resources > Application Guides) and built-in ways to track the status of each task.

The Security Checklist:

  • Provides Pega's leading practices for securely deploying applications
  • Helps protect the confidentiality, integrity, and availability of your application in production
  • Identifies when to perform each task:
    • At or near the beginning of development
    • On an ongoing basis
    • Just before deployment
  • Helps avoid expensive rework late in your development process

The Security Checklist consists of core tasks and additional tasks. Core tasks in the Security Checklist occur during development and production.

Core tasks to perform during development

  • Address Security alerts promptly.
    • Examples of security alerts include:
      • SECU0001 - Unexpected properties received in an HTTP request
      • SECU0019 - Unauthorized request detected
  • Securely authenticate attempts to access services.
    • Create an authentication profile to move messages securely to and from your application with various connector and server rules.
  • Define appropriate roles and privileges to restrict access.
  • Appropriately encrypt data.
    • Encryption is a way to protect sensitive data within your application without affecting the functionality of Pega Platform.
    • Encryption uses a cipher algorithm to turn readable text (plaintext) into an unreadable secret format (ciphertext). The ciphertext can be decrypted only through the use of the correct encryption key.

Core tasks to perform during production

  • Set the system production level to 5
  • Lock rulesets
  • Do not deploy checked-out rules
  • Block unnecessary roles and operators from production 
  • Secure passwords
  • Configure dynamic system settings for production 
  • Configure cross-site request forgery (CSRF) settings
  • Define appropriate Content Security Policies 
  • Define appropriate Cross-Origin Resource Sharing (CORS) policies for REST services
  • Configure logging levels appropriately 

Additional tasks

These settings do not apply to all applications. The settings depend on the client needs and are application-specific:

  • Password format policies
  • CAPTCHA policies
  • Session lockout policies
  • Login attempt auditing policies
  • Multifactor authentication 
  • Operator Access Policies
  • Configuration authentication time-outs
  • Secure Database access
  • Audit changes to application data
  • Configure security event logging

This Topic is available in the following Module:

If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice