Vulnerability testing policy for applications on Pega Cloud
Pega Cloud Services clients and/or Pega Cloud for Government clients (hereinafter referred to as "Pega Cloud" clients) can conduct security assessments for applications on Pega Cloud when such assessments are preauthorized and performed within the guidelines described in this article. Application-tier vulnerability scanning is allowed when clients need to assess and report on the security of their cloud-delivered applications, client-directed development, and services for internal audit or compliance programs.
Environments that may be tested
Pega Cloud clients are permitted to conduct application vulnerability tests on their Pega Platform applications that are deployed in Preproduction (large sandbox) and Production environments. Pega Cloud clients are not permitted to conduct application vulnerability tests on any trial environments.
Pega Cloud clients are also permitted to conduct application vulnerability tests on their Pega applications that are deployed in Development and Test (small sandbox) environments. However, Pega Cloud clients must realize that Development and Test environments, by definition, are more open than Production environments, and may show issues that will not be present in Production environments.
Testing should focus on Pega Cloud clients’ applications rather than the Development environment. Testing of the Development environment itself is not recommended for several reasons:
- The Development environment, by design, allows for software development and modification of the running system. (For example, RuleSets may be unlocked in a Development and Test environment, as development is still occurring and changes to rules are being made; in a Production environment, all RuleSets should be locked.) If testing is performed, then vulnerabilities may be found which are inherent to a Development and Test environment - testers and scanners will find issues in the Development environment that would be high risk in a Production environment, but are necessary on a Development system.
- Penetration testing can damage the system being tested; this can include the application rules themselves. Be sure to completely back up your applications before doing any testing.
- The Pega Platform portals (AppStudio, DevStudio, etc.) are much larger in scope than most user-facing applications, and will take more time and expense to test.
Development and Test environments should not be used for production services or for hosting sensitive or production data.
Policy Terms and Conditions
Each requestor must abide by and agree to the following terms outlined by Pegasystems prior to receiving an authorization for conducting any security assessment or penetration testing. All Security Testing must be in line with the Pegasystems Security Testing Term and Conditions.
Security Testing (the "Testing"):
- Testing is not authorized until Pega Cloud Security validates the information and returns a fully-executed authorization form with an authorization number to the requesting party.
- Testing will be limited to the services, network bandwidth, requests per minute, instance-type, and duration outlined in this agreement, the client's services agreement, and the Pega Cloud Acceptable Use Policy.
- The client is only permitted to test their Pega applications. The client is not permitted to attempt to penetrate beyond their applications, or to attempt to breach the Pega Cloud infrastructure or supporting services.
- The client is responsible for any damages to Pega Cloud or other Pega Cloud clients that are caused by their penetration testing activities.
- If the client discovers any vulnerabilities or other security issues which are rated “very high” or “critical” within any Pega Cloud in the course of their security assessment, they must report this issue directly to Pegasystems within 24 hours of discovery. The client may continue their tests, but is not permitted to further exploit or test against any suspected critical or high vulnerability or other security issue. See “Reporting a finding” in the next section for details on how to report an issue.
- Upon completion of their testing, the client must submit an executive summary report (at minimum) to Pega GCS via a Service Request through the Support Portal, and request a review of the findings. Sending a full report is recommended.
- Distribution of the report beyond Pegasystems and the client is subject to mutual written agreement.
- To extend or modify the agreed-upon testing period, the client must submit a new request.
Reporting a finding
If the client discovers any vulnerabilities or other security issues which are rated “very high” or “critical” within any Pega Cloud in the course of their security assessment, they must report this issue directly to Pegasystems within 24 hours of discovery, by making a new request through My Support Portal.
In this request, the client should choose For something I need and then click Other. For the latest documentation on making requests, see My Support Portal: New Design, Streamlined Features.
The Short Description of this issue should be as follows:
P1 Vulnerability Finding: <short description of issue>
P1 Vulnerability Finding: activity should require permissions
(This description allows Pega to route this issue to the Cloud Security Operations team as quickly as possible.)
In the full description of the issue, please include:
- Date Issue was Discovered
- Who Discovered
- Contact Information (Who should be contacted about this issue?)
- Contact Information
- Supporting Data and Screen Shots (excluding any sensitive or personally-identifiable information)
Permitted Services: Using Security Assessment Tools and Services
There are a variety of public, private, commercial, and/or open-source tools and services to choose from for the purposes of performing a security assessment of the client's Pega Cloud environments. The term "security assessment" refers to all activity engaged in for the purposes of determining the efficacy or existence of security controls, such as:
- Vulnerability scanning/checks
- Penetration testing
- Web application scanning
The client is not limited in their selection of tools or services to perform a security assessment of their Pega Cloud environments. However, the client is prohibited from utilizing any tools or services in a manner that perform Denial-of-Service (DoS) attacks or simulations of such against any Pega Cloud environments, their own or otherwise. For a list of prohibited activities, see the next section.
A security tool that solely performs a remote query of their Pega Cloud environments to determine a software name and version, such as "banner grabbing," for the purpose of comparison to a list of versions known to be vulnerable to DoS, is not in violation of this policy.
Additionally, a security tool or service that solely crashes a running process on the client's Pega Cloud environment, temporary or otherwise, as necessary for remote or local exploitation as part of the security assessment, is not in violation of this policy. However, this tool may not engage in protocol flooding or resource request flooding, as mentioned in the Prohibited Activities section.
A security tool or service that creates, determines the existence of, or demonstrates a DoS condition in any other manner, actual or simulated, is expressly forbidden.
Some tools or services include actual DoS capabilities as described, either silently/inherently if used inappropriately or as an explicit test/check or feature of the tool or service. Any security tool or service that has such a DoS capability, must have the explicit ability to disable, disarm, or otherwise render harmless, that DoS capability. Otherwise, that tool or service may not be employed for any facet of the security assessment.
It is the sole responsibility of the Pega Cloud client to: (1) ensure the tools and services employed for performing a security assessment are properly configured and successfully operate in a manner that does not perform DoS attacks or simulations of such, and (2) independently validate that the tool or service employed does not perform DoS attacks, or simulations of such, prior to security assessment of any Pega Cloud environments. This Pega Cloud client responsibility includes ensuring that contracted third-parties perform security assessments in a manner that does not violate this policy.
Furthermore, the client is responsible for any damages to Pega Cloud environments or other Pega Cloud clients that are caused by the client's testing or security assessment activities.
Some penetration-testing activities could trigger a number of security events or affect resources for other clients. Therefore, activities that can damage resources or cause harm to any clients’ environments are prohibited, including but not limited to the following activities:
- DNS zone walking
- Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS or other activity with the intent to overload, flood, or spam any part of the services
- Port flooding
- Protocol flooding (for example, SYN flooding, ICMP flooding, UDP flooding)
- Request flooding (login request flooding, HTTP request flooding, API request flooding)
- Testing of environments, domains or URLs not specifically contracted for by the client
- Excluding the uploading of an EICAR file to test anti-malware or anti-virus effectiveness, intentionally sending, injecting or uploading a virus or a corrupt file, Trojan horse or worm is prohibited