Vulnerability testing process for applications on Pega Cloud
Pega Cloud Services clients and Pega Cloud for Government clients (hereinafter referred to as "Pega Cloud" clients) can conduct security assessments for applications on Pega Cloud when such assessments are preauthorized and performed within the guidelines described in this article. Application-tier vulnerability scanning is allowed when Pega Cloud clients need to assess and report on the security of their cloud-delivered applications, client-directed development, and services for internal audit or compliance programs.
Vulnerability Testing Process
Pega Cloud clients must:
1. Adhere to the Pega Cloud Acceptable Use Policy.
2. Adhere to the Pega Cloud Vulnerability Testing Policy.
3. Validate that the tool or service that you will employ for vulnerability testing is not configured to perform any of the functions described in the Prohibited Activities section of the Vulnerability Testing Policy.
4. Secure their deployed applications according to the Security Checklist.
Before doing any vulnerability testing, Pegasystems requires that clients harden the applications that will be tested. For details on application hardening, please review the Security Checklist and complete all the applicable steps.
Again, note that some of the steps in this Checklist will not apply to a Pega Cloud Development and Testing environment. For example, one step states to “set the system production level to 5.” Pega Cloud Development and Testing environments are set to “2” and should not be changed. Clients must take these factors into account when reviewing vulnerability test results.
1. Initiate a Pega Support request.
Authorized contacts for the client submit a service request ticket in the My Support Portal or call the help desk to initiate the process for obtaining approval for the client-led vulnerability scan.
2. Complete and sign the Application Vulnerability Test Request Form.
The client must submit a completed and signed Application Vulnerability Test Request Form before the request approval process can be initiated.
Download the Application Vulnerability Test Request Form, complete it, and attach it to the support request.
The following information must be provided on the form:
- Contact details, including email address and office and mobile phone numbers
- Description of the assessment and test cases
- Inventory of assessment tools or service that conducts the assessment
- Source IP address of the scanning tool or service
- Signature of the authorized client contact who makes the request
3. The Request Form is reviewed.
Pega Cloud Security and the client review the Application Vulnerability Test Request Form to ensure that the scope and testing tools or service to be used meet the terms and conditions of the agreement.
4. An authorization code is provided.
After the request is approved and fully executed, the client receives an authorization code and notification of the time frame (usually one week) in which to complete the testing.
5. Provide report to Pega through My Support Portal.
The client is required to share an executive summary report (at a minimum) of the results of the vulnerability tests with Pega to help the continuous improvement of cloud services; sending a full report is requested. Submit the report to Pega through My Support Portal.
Distribution of the report beyond Pegasystems and the client is subject to mutual written agreement.
Tips for Security Testing
Your security testing should be a positive experience that efficiently gathers the objective evidence you need, without errors or interruptions. Below are some helpful tips to ensure successful testing:
- Rate limits – Limit your scanning to 1Gbps or 10,000 RPS.
- Source Testing IP Addresses – Because of the dynamic nature of cloud environments, verify all IP addresses in your test plans prior to the beginning of a test to ensure current ownership of the IP address. Any attempt to test with unauthorized source IPs will be considered a violation of the Pega Cloud Acceptable Use Policy.
- Allow list– Pega Cloud clients employing allow lists or limiting access for your environments to private networks must request a temporary allow list for the source testing IPs through My Support Portal.