Pega Cloud customers can conduct application security assessments when such assessments are preauthorized and performed within the guidelines described in this article. Application-tier vulnerability scanning is allowed when customers need to assess and report on the security of their cloud-delivered applications, customer-directed development, and services for internal audit or compliance programs.
Pega Cloud customers are permitted to conduct application vulnerability tests on their Pega 7 Platform applications that are deployed in preproduction, or large sandbox, and production environments. Development and test, or small sandbox, cloud systems are not in scope for security assessments conducted by customers, because these environments should not be used for production services or for hosting sensitive or production data.
Pega Cloud customers must adhere to the Acceptable Use Policy, which outlines several other activities that are not allowed. In addition, Pega Cloud customers must also adhere to, and acknowledge, the terms and conditions that are described on the Application Vulnerability Test Request Form.
Customers should engage their Pega Cloud Customer Engagement team lead, as well as initiate a Pega Support request, when they need to conduct an application vulnerability test. The Customer Engagement team then coordinates the test with the customer to provide authorization, provide a specified testing time frame, and validate the scope and the IP address space that are indicated on the Application Vulnerability Test Request Form.
When customers perform testing within these conditions and with the proper approvals, Pegasystems allows an exception to the standard Acceptable Use Policy so that customers can probe, scan, or test their associated applications for known vulnerabilities.
Lastly, Pegasystems requests that customers independently validate that the tool or service that they employ for their vulnerability testing is not configured to perform any of the following activities:
- Denial-of-service (DoS) attacks or simulations of such attacks
- Protocol flooding (for example, SYN flooding, ICMP flooding, UDP flooding)
- Resource request flooding (for example, HTTP request flooding, Login request flooding, API request flooding)
Authorized contacts for the customer submit a service request ticket in the My Support Portal or call the help desk to initiate the process for obtaining approval for the customer-led vulnerability scan.
A Customer Engagement or Cloud Security team lead works with the customer to complete the Application Vulnerability Test Request form.
- The customer submits a completed and signed Application Vulnerability Test Request Form before the request approval process can be initiated. The following information must be provided on the form:
- Contact details, including email address and office and mobile phone numbers
- Description of the assessment and test cases
- Inventory of assessment tools or service that conducts the assessment
- Source IP address of the scanning tool or service
- Signature of the authorized customer contact who makes the request
- Pega Cloud Support and the customer review the Application Vulnerability Test Request Form to ensure that the scope and testing tools or service to be used meet the terms and conditions of the agreement.
- After the request is approved, the customer receives an authorization code and notification of the time frame (usually one week) in which to complete the testing.
After Pega Cloud Support and the customer have reviewed and agreed on the Application Vulnerability Test Request Form, submitted requests require a minimum of 10 days for processing and approval.
Customers who require a copy of the Pega Cloud independent third-party penetration test executive summary may request a copy of the report, under NDA, by submitting a service request ticket in My Support Portal.
Pega Cloud Support recommends that customers share the results of the vulnerability tests with support to help the continuous improvement of cloud services.