Table of Contents

Security checklist for deploying applications

As an administrator, senior system architect, or lead system architect, your goal is to ensure the confidentiality, integrity, and availability of your application during development and before you move it to production. Unauthorized individuals should not have access to the application or the data in it and should not be able to modify the application or data in it. Inadequate security can prevent your application from being deployed.

Pega Platform™ provides limited security by default, which is appropriate for experimentation, learning, and application development. To maximize the integrity and reliability of applications that you create in Pega Platform, implement security features at multiple levels in a test environment. Ensure that the test environment is as close as possible to the production environment. Implement the security recommendations as soon as possible when you develop your application. However, some security recommendations are most appropriate to perform when you move an application to a production environment. Unless otherwise noted, the recommendations apply to all deployment environments, including Pega Cloud Services.

The most important security requirement for all Pega Platform applications is to maintain guardrail-compliance because Pega Platform security features cannot always be successfully enforced in custom code. However, in most cases, you can secure applications by configuring only the built-in features in Pega Platform, without relying on custom code built by developers who are not security experts.

Review the following list of security considerations and actions that you can take to strengthen the security of your application. Most of the actions have one-time implementation costs; however, some have performance costs. All these actions have significant benefits in terms of user convenience and security. Select the actions that are most applicable and beneficial to your situation.

The tasks in this security checklist represent best practices for securing Pega Platform applications in development and in production. The tasks are organized based on the timing of when they should be performed, and what key area (for example, authentication, authorization, auditing) is involved. Perform these tasks at the appropriate times during development to avoid significant rework and retesting time later.

To assist you in tracking the completion of the tasks in the checklist, Pega Platform automatically installs an application guideline rule instance that includes the tasks in the security checklist for each version of your application. For more information, see Preparing your application for secure deployment.

Assign responsibility for administering security

Monitor the security of ongoing application development

Securely authenticate all logins and REST API requests

Control access to specific data and functions

Appropriately audit changes to data and user/developer actions

Remove other vulnerabilities in your application environment

Prepare to securely migrate your application to production

Perform production testing in a production-like environment

Assign responsibility for administering security

At the beginning of application development, determine who is responsible for verifying the completion of the tasks in this checklist, and assign clear responsibility for each task.

Determine who is responsible for this checklist

Create a Security Administrator work queue. Add operators to this work queue who are responsible for verifying the completion of checklist tasks. Click the option on each task to create a corresponding user story, give it a high priority, and assign to this work queue.

For more information, see Notifying operators of work queue activity.

Monitor the security of ongoing application development

Before you deploy an application in production, you must perform several monitoring activities. You can save time and reduce costs if you perform them regularly in development, when you can make changes without requiring extensive refactoring and retesting.

Keep application rules guardrail-compliant

Review the Application Guardrails landing page weekly and make changes to keep your application rules in compliance. Many security features can be enforced only in application rules that comply with Pega Platform guardrails. Do not wait until deploying your application to eliminate non-compliant rules, because applying changes is costlier after deployment.

For more information, see Improving your compliance score.

Eliminate vulnerabilities in custom code

Run the Rule Security Analyzer weekly to search through custom (non-autogenerated) code in your rules. This utility finds specific JavaScript or SQL coding patterns that might indicate a security vulnerability. Remove vulnerabilities immediately to avoid wasting time refactoring and retesting your work.

For more information, see Searching for security vulnerabilities in rules.

Address security alerts promptly

Review run-time security alerts weekly and take appropriate remedial actions to eliminate their causes.

For more information, see Alerts, alert analysis tools and usage guidelines.

Configure properties appropriately

When you create rules, minimize data corruption by applying the correct type for all properties.

For more information, see Property form: Completing the General tab - Value modes.

Securely authenticate all logins and REST API requests

Ensure that login attempts, and attempts to access data or functions through application services, are correctly authenticated and are from known, trusted users and systems.

Configure authentication security policies

Configure the following authentications security policies for better user authentications and session management:

  • Password format policies defend your system against brute force attacks in which a hacker tries thousands of randomly generated credentials or popular passwords from a password dictionary to gain access to your application.
  • CAPTCHA policies guard passwords against brute force attacks by automated processes.
  • Session lockout policies guard against brute force attacks by locking out operator IDs with too many failed login attempts.
  • Policies for auditing login attempts can help identify patterns of suspicious behavior.
  • Multifactor authentication increases identity verification by requiring a second, one-time password that is sent to the operator from a separate device or account.
  • Operator access policies automatically disable operator IDs that are inactive for a specified number of days.

For more information, see Managing security policies.

Configure authentication time-outs

Set an appropriate authentication time-out for each access group according to corporate standards. Configure this setting on the Advanced tab of the Access Group form. For custom authentication, set this time-out to be be longer than the time-out in the external authentication service.

For more information, see Configuring security settings for an access group.

Securely authenticate attempts to access services

Make application services to external systems and requestors secure by using appropriate authentication. Ensure that each service package uses a strong authentication profile and requires TLS. Do not put into production services that are unauthenticated or that use only basic authentication.

For more information, see Service Wizard: Configure Data Records.

Control who is authorized to access specific data and functions

Limit access to sensitive data and your application’s functionality (especially the ability to change application data, and the application itself) to those who need it to perform their tasks, and prevent others from gaining unnecessary access.

Set the system production level to 5

To implement the highest restrictive security scheme, set the production level for the application to level 5. You can change the production level by clicking Designer Studio > System > General > Systems, Nodes, Requestors. The change takes effect the next time you start the system. The production level value primarily affects privilege-based authorization through Access of Role Object and Access Deny rules, and your testing mirrors the authorization controls that are set for production. If this setting interferes with access in your development environment, add more focused Access of Role to Object rules that grant access, instead of lowering the production level.

For more information, see Defining production-level application setting values.

Define appropriate roles and privileges to restrict access

Define roles for the users in your access groups. For each class, screen, flow, flow action, or tool, that only certain users need, define an appropriate privilege to enable its access. Use the Access Manager to manage the granting of these privileges to roles. Grant access only to users with a real business need for a business function or business data.

Review all authentication groups, especially the unauthenticated access group to make sure that it has the minimum required access to rules, case types, and data.

For more information, see Editing authorizations for case type items in a single access group, Editing authorizations for case type flows and flow actions in a single access group, Editing tools authorization for a single access group, Reviewing user privileges for a role by using Access ManagerAuthorization models in Pega Platform, and Access groups.

Define appropriate access control policies to restrict access

Use access control policies to enforce restrictions on access to application data at the row and column level; in other words, to restrict access to specific instances or properties in a class for different operators. Define policy conditions that dynamically compare user privileges, credentials, or other information on the clipboard to properties in each instance of the restricted class.

For more information, see Authorization models in Pega PlatformCreating an access control policy, and Creating an access control policy condition.

Appropriately audit changes to data and user/developer actions

Configure auditing to document who changes your application data, and when and how the data has been changed. Auditing also enables you to:

  • Monitor all security-related activity in the system
  • Create reports that analyze patterns of system usage
  • Identify patterns of suspicious behavior
  • Determine the scope of damage and apply remedial actions if any vulnerabilities are exploited

Audit changes to application data

Enable field-level auditing in History- tables, where appropriate, to track changes to key sensitive class properties.

For more information, see Enabling security auditing for a data class or rule type.

Audit other types of user and developer actions

Configure security event logging to track user and developer actions that might be unauthorized or indicate suspicious patterns of behavior. If a security violation or breach occurs, the log can help you determine the level of exposure and risk, and identify remedial actions.

For more information, see Selecting a security event to monitor.

Remove other vulnerabilities in your application environment

Remove other vulnerabilities in your environment, in addition to configuring basic features for authentication, authorization, and auditing.

Secure database access

Secure your database connections. In Designer Studio, in the Records Explorer, click SysAdmin > Database, and open the database instance. On the Database tab, in the How to connect field, select use JDBC Connection Pool setting. This setting allows the Pega Platform application to access databases through a Java Naming and Directory Interface (JNDI) server. Avoid using the Use configuration in Preferences setting to define databases, because it displays credentials in the database as clear text.

Limit the capabilities and roles in the Pega Platform database account to restrict the ability to truncate tables, create or delete tables, or otherwise alter the schema. This limit on capabilities and roles might cause the View/Modify Database Schema tool to operate in read-only mode.

For more information, see Creating a database data instance.

Secure file uploads

If documents can be uploaded into your application, secure them as follows:

  • Pega Cloud Services environments automatically check uploaded files for viruses.  If you do not have a Pega Cloud Services environment, do the following:
    • Use a virus checker to check the files that can be uploaded. You can use an extension point in the CallVirusCheck activity to check attachments.
    • Regularly update your virus checker to enable detection of new viruses.
  • Restrict the file type by adding a when rule or a decision table to the SetAttachmentProperties activity to evaluate whether a document type is allowed. If a file type is not allowed (evaluated as false), you can set up a message on the step page that stops the save attachment activity from being performed.
  • Verify that the XML/AllowDocTypes dynamic system setting is set to false.

For more information, see Extension points and supporting rules for attachments, Standard activities — Extension points, Restricting user actions for case attachments, and Steps tab on the Activity form.

Secure HTML if it exists in your application

Keep your application guardrail-compliant and do not include custom (non-autogenerated) HTML. However, if you do include custom HTML, follow guidelines to minimize security vulnerabilities in your application. For more information, see Security guidelines for custom HTML.

Prepare to securely migrate your application to production

Some security recommendations are most appropriate to perform when you move an application to a production environment. These recommendations are essential to avoid common security vulnerabilities.

Lock rulesets

Lock each ruleset version with a secure password by clicking Lock and Save on the Version tab, and entering a hard-to-guess password. In each ruleset rule, click Use checkout? on the Security tab, and enter three distinct passwords to limit the ability to add versions, update versions, and update the ruleset rule. For more information, see Versions tab on the Ruleset form.

Block unnecessary roles and operators from production

In the production environment, eliminate or block any operators and roles used in development or test environments that are not needed in production.

For more information, see Defining security information for an operator, Defining operator work groups, work queues, and schedules, and Enabling and disabling operators.

Secure passwords

Verify that the system securely hashes and stores all passwords for production use.

  • In the database table that holds the operator ID instances, ensure that the column that contains the password property pyPwdCurrent is not exposed, and that the value for pyPwdCurrent is only in the pzPVStream or BLOB column.
  • Convert preexisting password hashes to use the salted bcrypt algorithm.
    For more information, see Password hashing.

To prevent unauthorized access with default passwords, change the passwords for the default operators that you plan to use, and disable or delete the operator IDs that you do not plan to use. As a best practice, always change the passwords for IDs that end with (including,, and and for the operator IDs that the external setup wizard creates during installation. You can also disable, delete, or customize default operators. For more information, see Defining security information for an operator and Enabling and disabling operators.

Secure web.xml

Make the following changes to the web.xml deployment descriptor file:

  • Limit or block access to the Pega Platform servlets that support only testing and debugging, including HeapDisplay, SecManServlet, and PRSOAPSimulator.
  • Remove unnecessary resources and servlets.
  • Set appropriate time-outs at the application server level and requestor level.
  • Block access to the prweb/PRServlet servlet that allows users to log in using the older platform login process instead of the newer PRAuth-based authentication services. For more information, see Application URL patterns for various authentication service types.

Configure dynamic system settings for production

Verify that the dynamic system settings are appropriate for a production environment.

For more information, see Dynamic system settings for application security.

Configure Cross-Site Request Forgery (CSRF) settings

Configure Cross-Site Request Forgery (CSRF) settings to prevent unwanted actions on an application in which a user is currently authenticated.

For Pega Platform 8.1 and later, set these values by using the Cross-Site Request Forgery landing page.  For more information, see Enabling and configuring Cross-Site Request Forgery settings.

For Pega 7 and below, set the CSRF settings as described in Configuring CSRF protection.

Do not deploy checked-out rules

Run the Checked Out Rule Report and eliminate rules that are checked out. For more information, see Reporting on rules.

Define appropriate Content Security Policies (CSPs)

Review and define appropriate Content Security Policies (CSPs). Specify one or more CSPs for every production application to inform the user's browser of locations from which an application can load resources. For more information, see Configuring a content security policy.

Define appropriate CORS policies for REST services

Configure cross-origin resource sharing (CORS) policies to control and secure access to the REST services in your application by external systems. For more information, see Creating a cross-origin resource sharing (CORS) policy.

Appropriately encrypt data

Protect sensitive data within Pega Platform data stores by encrypting all the data in a class or by encrypting individual property values.

For more information, see Encryption in Pega Platform.

Configure logging levels appropriately

Set appropriate logging levels for production. Minimize the amount of detail in log files by setting the log level to INFO or lower to minimize security risks. For more information, see Logging Level Settings tool.

Perform production testing in a production-like environment

During production testing, configure your application and the test environment to mirror the intended production environment. Otherwise, your testing might not uncover serious security vulnerabilities.

Apply patches, updates, and hotfixes

Install the latest patches and updates to the operating system, application and web servers, proxies, database, and related applications. Install all appropriate Pega Platform updates and hotfixes (contact Global Customer Support for assistance if needed).

Configure the database and communications to mirror production

Configure the system and database according to your company’s security policies as in the production environment to which the application will be deployed. This configuration should include the use of TSL for all communication between clients and the application.

If you use TSL, remove any cipher suites that have null ciphers. This action prevents the login credentials and password from traveling in clear text format between the client and server even over a TSL connection (if a server and client discover only a null cipher suite in common).

Configure authentication to mirror production

Configure the system to mirror the production authentication scheme. Verify that all client updates and patches are applied. When testing authentication from a browser, clear the browser’s password history and disable the browser’s autocomplete/autofill feature.

Configure the application server to mirror production

Configure the application server in your test environment to mirror the configuration in your production environment. For more information, see Security guidelines for test environments.

Test monitoring and analyzing security events and alerts

Define the process for routinely monitoring security alerts and security events in production for your application. Test that process by intentionally generating alerts and events to verify that your process identifies and responds to them in a timely manner.

Related Content

Have a question? Get answers now.

Visit the Pega Support Community to ask questions, engage in discussions, and help others.