Security Checklist when not deploying on Pega Cloud
When you are deploying on-premises and not on Pega Cloud there are additional considerations you should address when completing the Security Checklist. The tasks in this section are not required if you are deploying your application to Pega Cloud, because Pega Cloud automatically performs these tasks.
During production testing, configure your application and the test environment to mirror the intended production environment. Otherwise, your testing might not uncover serious security vulnerabilities.
- Secure file uploads
- If documents can be uploaded into your application, install a virus checker to control which files can be uploaded, and restrict the file types that are uploaded.
- Pega Cloud Services environments automatically check uploaded files for viruses.
If you do not have a Pega Cloud Services environment and documents can be
uploaded into your application, we recommend you secure them as follows:
- Use a virus checker to check the files that can be uploaded. You can use an extension point in the CallVirusCheck activity to check attachments.
- Regularly update your virus checker to enable detection of new viruses.
- Restrict the file type by adding a when rule or a decision table to the SetAttachmentProperties activity to evaluate whether a document type is allowed. If a file type is not allowed (evaluated as false), you can set up a message on the step page that stops the save attachment activity from being performed.
- Verify that the XML/AllowDocTypes dynamic system setting is set to false.
For more information, see:
- Extension points and supporting rules for attachments
- Standard activities — Extension points
- Restricting user actions for case attachments
- Steps tab on the Activity form
- Apply patches, updates, and hotfixes
- Install the latest patches and updates to the operating system, application and web servers, proxies, database, and related applications.
- For Pega Platform 8.x releases, you should install the latest patch release. For earlier Pega Platform Releases you should be running the latest version, and planning to upgrade to Version 8.x in the near future.
- Regardless of what release you are running, you should frequently check for any recommended security updates, which are posted at https://collaborate.pega.com/discussion/essential-hotfixes.
- Secure web.xml
- If you are not deploying your application to Pega Cloud, make the following
changes to the web.xml deployment descriptor file:
- Limit or block access to the Pega Platform servlets that support only testing and debugging, including HeapDisplay, SecManServlet, and PRSOAPSimulator.
- Remove unnecessary resources and servlets.
- Set appropriate time-outs at the application server level and requestor level.
- Block access to the prweb/PRServlet servlet, which allows users to log in using the older platform login process instead of the newer PRAuth-based authentication services.
For more information, see Application URL patterns for various authentication service types.
If you are deploying on Pega Cloud, see Security Checklist when deploying on Pega Cloud.
- Configure PRconfig.Xml settings for production
- Verify that prconfig.xml settings are appropriate for a production environment.
- Configure the database and communications to mirror production
- Configure the system and database according to your company’s security policies and to be the same as in production environment to which the application will be deployed. This configuration should include the use of TLS for all communication between clients and the application.
- If you use TLS, remove any cipher suites that have null ciphers. This action prevents the login credentials and password from being sent in clear text format between the client and server even over a TLS connection (if a server and client discover only a null cipher suite in common).
- Configure the application server to mirror production
- Configure the application server in your test environment to mirror the configuration in your production environment.
For more information, see Implementing security guidelines for test environments.