Vulnerability testing policy for applications on Pega Cloud
Pega Cloud Services clients and/or Pega Cloud for Government clients (hereinafter referred to as "Pega Cloud" clients) can conduct security assessments for applications on Pega Cloud when such assessments are preauthorized and performed within the guidelines described in this article. Application-tier vulnerability scanning is allowed when clients need to assess and report on the security of their cloud-delivered applications, client-directed development, and services for internal audit or compliance programs.
Environments that may be tested
Pega Cloud clients are permitted to conduct application vulnerability tests on their Pega Platform applications that are deployed in Preproduction (large sandbox) and Production environments. Pega Cloud clients are not permitted to conduct application vulnerability tests on any trial environments.
Pega Cloud clients are also permitted to conduct application vulnerability tests on their Pega applications that are deployed in Development and Test (small sandbox) environments. However, Pega Cloud clients must realize that Development and Test environments, by definition, are more open than Production environments, and may show issues that will not be present in Production environments.
Testing should focus on Pega Cloud clients’ applications rather than the Development environment. Testing of the Development environment itself is not recommended for several reasons:
- The Development environment, by design, allows for software development and modification of the running system. (For example, RuleSets may be unlocked in a Development and Test environment, as development is still occurring and changes to rules are being made; in a Production environment, all RuleSets should be locked.) If testing is performed, then vulnerabilities may be found which are inherent to a Development and Test environment - testers and scanners will find issues in the Development environment that would be high risk in a Production environment, but are necessary on a Development system.
- Penetration testing can damage the system being tested; this can include the application rules themselves. Be sure to completely back up your applications before doing any testing.
- The Pega Platform portals (AppStudio, DevStudio, etc.) are much larger in scope than most user-facing applications, and will take more time and expense to test.
Development and Test environments should not be used for production services or for hosting sensitive or production data.
Policy Terms and Conditions
Each requestor must abide by and agree to the following terms outlined by Pegasystems prior to receiving an authorization for conducting any security assessment or penetration testing. All Security Testing must be in line with the Pegasystems Security Testing Term and Conditions.Security Testing (the "Testing"):
- Testing is not authorized until Pega Cloud Security validates the information and returns a fully-executed authorization form with an authorization number to the requesting party.
- Testing will be limited to the services, network bandwidth, requests per minute, instance-type, and duration outlined in this agreement, the client's services agreement, and the Pega Cloud Acceptable Use Policy.
- The client is only permitted to test their Pega applications. The client is not permitted to attempt to penetrate beyond their applications, or to attempt to breach the Pega Cloud infrastructure or supporting services.
- The client is responsible for any damages to Pega Cloud or other Pega Cloud clients that are caused by their penetration testing activities.
- If the client discovers any vulnerabilities or other security issues which are rated “very high” or “critical” within any Pega Cloud in the course of their security assessment, they must report this issue directly to Pegasystems within 24 hours of discovery. The client may continue their tests, but is not permitted to further exploit or test against any suspected critical or high vulnerability or other security issue. See “Reporting a finding” in the next section for details on how to report an issue.
- Upon completion of their testing, the client must submit an executive summary report (at minimum) to Pega GCS via a Service Request through the Support Portal, and request a review of the findings. Sending a full report is recommended.
- Distribution of the report beyond Pegasystems and the client is subject to mutual written agreement.
- To extend or modify the agreed-upon testing period, the client must submit a new request.
If the client discovers any vulnerabilities or other security issues which are rated “very high” or “critical” within any Pega Cloud in the course of their security assessment, they must report this issue directly to Pegasystems within 24 hours of discovery, by making a new request through My Support Portal.
In this request, the client should choose For something I need and then click Other. For the latest documentation on making requests, see My Support Portal: New Design, Streamlined Features.
- Vulnerability testing process for applications on Pega Cloud
Pega Cloud Services clients and Pega Cloud for Government clients (hereinafter referred to as "Pega Cloud" clients) can conduct security assessments for applications on Pega Cloud when such assessments are preauthorized and performed within the guidelines described in this article.
- Download the Vulnerability Testing Request form
As part of the Vulnerability Testing Process for applications on Pega Cloud Services (PCS) or Pega Cloud for Government, clients must download and complete the Vulnerability Testing Request form, including manual (not electronic) signatures.