Skip to main content

Security Checklist review

Pega prioritizes application security and system security. Security is a shared responsibility between Pega and its clients. Every new release of Pega Platform™ enhances the security features that strengthen applications and systems against unauthorized access and safeguard the data that those applications handle. 

The Security Checklist presents Pega best practices for securely deploying applications. Pega Platform offers several built-in methods to track the status of each Task and displays the overall completion of the checklist on the Dev Studio landing page to help you monitor the completion of the tasks. 

The following figure shows the Application Guides menu in Dev Studio where you can access the checklist: 

SecurityChecklistresources

The Security Checklist offers Pega best practices for the secure deployment of applications. It helps safeguard the confidentiality, integrity, and availability of your application during its production phase. The checklist delineates the optimal timing for each Task, emphasizing when to perform them: 

  • At or near the Project's initiation. 
  • On an ongoing basis throughout Development. 
  • Just before the Deployment phase. 

By adhering to the Security Checklist, you can proactively address security concerns at the outset, maintain vigilance throughout Development, and prevent costly rework in the later stages of the Development process.

The Security Checklist comprises core tasks and additional tasks. Core tasks in the Security Checklist occur during the development and production stages. 

Security is critical, and as a Lead System Architect (LSA), it is your responsibility to maintain the confidentiality, integrity, and availability of your application. 

Core tasks to perform during development

Perform the following actions to define the security of your application during development:

  • Address Security alerts promptly. 
    • Examples of security alerts include: 
      • SECU0001 - Unexpected properties received in an HTTP request
      •  SECU0019 - Unauthorized request detected
  • Securely authenticate attempts to access services.
    • To configure a stronger authentication mechanism that matches your organization’s requirements, use a custom Authentication Service.
    • To build authenticated custom REST services, use a custom Service Package that employs a suitable authentication mechanism in line with your organization’s requirements. 
  • Define appropriate roles and privileges to restrict access.
  • Appropriately encrypt data.
    • Encryption is a method to safeguard sensitive data within your application without impacting the functionality of the Pega Platform. 
    • Encryption uses a cipher algorithm to transform readable text (plaintext) into an unreadable secret format (ciphertext). The ciphertext can only be decrypted using the correct encryption key. 
  • Review the Application Guardrails landing page weekly and make changes to keep your application Rules in compliance. 

Core tasks to perform during production

Perform the following actions to define the security of your application during the production phase:

  • Set the system production level to 5.
  • Lock Rulesets.
  • Do not deploy checked-out Rules.
  • Block unnecessary roles and operators from production.
  • Secure passwords.
  • Configure application settings and system settings for production .
  • Configure cross-site request forgery (CSRF) settings.
  • Define appropriate Content Security Policies.
  • Define appropriate Cross-Origin Resource Sharing (CORS) policies for REST services.
  • Configure logging levels appropriately.
  • Define and map authentication services to the application.

Additional tasks

The following settings do not apply to all applications, but depend on client needs and are application-specific:

  • Password format policies
  • CAPTCHA policies
  • Session lockout policies
  • Login attempt auditing policies
  • Multifactor authentication 
  • Operator access policies
  • Configuration of authentication timeouts
  • Secure Database access
  • Audit changes to application data
  • Configuration of security event logging

For more information, see Security checklist.

 

Check your knowledge with the following interaction: 

This Topic is available in the following Module:
If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice