Complete security tests
Security testing, otherwise referred to as penetration testing, is typically performed by either the client team or a specialist third party company at the end of an engagement, shortly before go-live.
Penetration testing simulates an attack on the application by an unauthorized user. This simulation exposes security gaps that can be addressed before go-live.
Specific planning and environment preparation for this activity may be required. Note that not all engagements require security testing. This should have been agreed upfront during planning.
Learn more here.
Penetration testing typically only occurs for major releases and will validate that security measures are in place, both at the infrastructure and application levels, to ensure the application is protected from unauthorized access.
Typically, tests are executed according to the top 10 issues as defined by OWASP (Open Web Application Security Project) standards.
The majority of Pega applications hold sensitive information that must be secure from unauthorized access for a number of reasons:
- Regulatory compliance
- Data privacy laws
- Organizational reputational risk
- Financial penalties
A separate, dedicated Production-like environment should be setup so that penetration testing can be conducted in isolation from any other project activities. It is important to ensure that the security test team are working in a stable environment that will mimic production as much as possible. A stable environment is one in which there is data integrity, a low number of defects and the environment is not subject to releases mid test cycle.
A walkthrough of the application may be required so that the security team can prepare. The test manager typically needs to dedicate some time to supporting the security test team.
Security testing should be an iterative process where any security issues are resolved between test cycles. There are typically two cycles of security testing.
For a Pega Cloud hosted environment, GCS require 10 days’ notice period in order to obtain the necessary approvals to conduct penetration testing, which must be executed within an appropriately supported environment (i.e. staging or PROD, not DEV).