Skip to main content

Identifying and mitigating security risks

Archived

1 Task

10 mins

Visible to: All users
Advanced Pega Platform 8.3.1 English
This content is now archived and is no longer updated. Progress is not calculated. Pega Cloud instances are disabled, and badges are no longer awarded. Click here to continue your progress in the latest version.

Scenario

Front Stage's Booking application is going live in the near future. Prior to promoting the application to production, a security review is required. Any security risks found require a review.

 

Perform a security review of Front Stage's Booking application using the security checklist. Provide recommendations to strengthen the security of the application.

Some changes can be implemented directly in the development environment, while others are configured when the application has been promoted to the production environment. Create a list of configuration tasks that need to be carried out when the application has been promoted to other environments for changes that cannot be implemented in the develop environment.

Detailed Tasks

1 Solution detail

Tasks to perform on the development environment include:

  1. Disabling unneeded out-of-the-box operators
  2. Changing passwords for used out-of-the-box operators used
  3. Fixing any issues found by the security analyzer
  4. Fixing any security issues in the Guardrail report
  5. Ensuring that timeouts are set up at the application server level, requestor level, and Access Group level that are of an appropriate length
  6. Ensuring that the Unauthenticated Access Group has the minimum required access to rules
  7. Adding the <env name="alerts/suppressalerts" value="true" /> setting to the prconfig.xml file to ensure that sensitive property values, such as customer account numbers or Social Security numbers, do not appear in the Alert log
  8. In each ruleset version, selecting Lock this Version on the Security tab, and entering a password
  9. In each ruleset rule, selecting Use checkout? on the Security tab, and entering three distinct passwords to limit the ability to add versions, update versions, and update the ruleset rule itself
  10. Applying the correct type for all properties
  11. Applying privileges across all the relevant rules (flow actions, reports, flows)
  12. Reviewing the Unauthenticated access group to make sure that it has the minimum required access to rules

Tasks to perform outside of the development environment:

  1. Updating prconfig settings
  2. Updating dynamic system settings
  3. Removing any unnecessary resources/servlets from the web.xml, and renaming default servlets where applicable, particularly PRServlet
  4. If using https, ensuring that testing environments are available to test with SSL enabled
  5. Ensuring that the system has been set up using a JDBC connection pool approach through the application server, rather than the database being set up in the prconfig.xml
  6. Renaming and deploying the prhelp.war once per environment (potentially on its own node to avoid being able to pick up the endpoint URL from the pop-up window)
  7. Renaming and deploying the prsysmgmt.war once per environment (potentially on its own node to avoid being able to pick up the endpoint URL from the pop-up window)
  8. Renaming and redeploying the prweb.war for each node
  9. Renaming and securing the context root for prgateway.war


Available in the following mission:

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice