Mitigate common (OWASP Top 10) security vulnerabilities
Pega Platform offers policies on the Security Policies landing page, as well as additional security restrictions that control cross-site request forgery (CSRF), content security policies (CSP), cross-origin resource sharing (CORS), and other types of vulnerabilities. Use these features to ensure that your system is as secure as possible.
According to their official site, the OWASP Top 10 is a standard awareness document for developers and web application security specialists. It represents a broad consensus about the most critical security risks to web applications.
Pegasystems uses the 2017 OWASP Top 10 Web Application Security Risks as a means of focusing on the most effective steps towards producing more secure code and applications.
OWASP Top 10 Web application security risks
The 2017 OWASP Top 10 Web application security risks include the following:
- Injection: Pega Platform prevents execution of unintended commands or access to data without proper authorization. For more information, see:
- Broken authentication: Pega Platform can prevent authentication and session management from being implemented incorrectly. For more information, see:
- Sensitive data exposure: Pega Platform aids in proper configuration to protect sensitive data. For more information, see:
- XML external entities (XXE): Older or poorly configured XML processors evaluate external entity references within XML documents. Pega Platform follows leading practices in all of our code, in which XML parsing prevents XXE. As part of the security development life cycle (SDLC), Pega Platform has code scanners that check new or modified code and merges it into the repository. Through this process, bad code is blocked from the repository and must be addressed before the merge can be complete.
- Broken access control: Pega Platform restricts what authenticated users are allowed to do and the policies surrounding user access as properly enforced. For more information, see Using Access Control Checks.
- Security misconfiguration: As the most common security issue, Pega Platform applications must be securely configured and updated and patched in a timely fashion. For more information, see:
- Cross-site scripting XSS: Pega Platform For more information, see Understanding cross-site scripting.
- Insecure deserialization: Pega Platform allows for proper deserialization, which prevents remote code execution. For more information, see Configuring the deserialization filter.
- Using components with known vulnerabilities: Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. There are several layers related to this issue. The easiest way to combat components with known vulnerabilities is to verify that all of the pieces of your applications are the most up to date, secure versions available. This includes installation of all upgrades and patches. This should also be done with all external services, Pega Platform, and computer operating systems. Pega Platform uses 3rd third-party components that also need to be secured. Scanners run in the background that analyze libraries used in the product and see whether those libraries are at risk, which is then reported.
- Insufficient logging and monitoring: Pega Platform has sufficient logging and monitoring coupled with effective incident response. For more information, see:
Cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. CSRF was part of the 2013 OWASP Top 10. Pega Platform continues to provides protections against CSRF. For more information, see Understanding cross-site request forgery
- Configuring the Java injection check
- Implementing security guidelines for custom HTML
- Compliance with regulatory standards
- Using Access Control Checks
- Using HTTP response headers
- Defining cross-origin resource sharing policies
- Understanding cross-site scripting
- Configuring the deserialization filter
- Understanding cross-site request forgery