To help you make your Pega 7 Platform applications more secure, you can run the Rule Security Analyzer. This tool searches through non-autogenerated rules to find specific JavaScript or SQL coding patterns that may indicate a security vulnerability.
To use the analyzer, you need to have the pxSecurityVA privilege in your access group's role. Standard developer roles such as SysAdm4 include this privilege.
Note that:
To access the tool, select Designer Studio > Org and Security > Tools > Security > Rule Security Analyzer. The Search Criteria form appears in a new window.
The form has seven fields, two of which are required. The other fields let you restrict the analysis to a particular subset of the application's rules and code.
Field | Description |
---|---|
RuleSets | Select one or more RuleSets to analyze. |
Rule Types | Optional. You can choose one or more rule types within the chosen RuleSet(s) to scan; or make no selection, in which case the tool scans all rule types. |
Expression | Select the regular expressions rule to use. See Regular Expressions, below. |
RuleSet Version | Optional. Leave the field blank to have the tool analyze all versions. To limit the analysis, enter major version only ("05"); major and minor version ("05-05"); or major version, minor version, and patch ("05-05-50"). |
Highest Version Only | Select True to scan only the highest version of each rule; select False to scan all versions. |
Updated Since | Optional. Leave the field blank to not limit the analysis by date. To scan only rules updated after a certain date and time, click the calendar button and enter the date and time to use. |
Also list activities that may start unauthenticated | If checked, the scan analyzes activities which have May start? checked and Authenticate? unchecked on the Security tab of the Activity rule form. |
When you have completed your settings, click Run, or Run and Export all to Excel.The system runs and displays a summary view of the results. See Analyzing the results, below.
The Rule Analyzer searches for vulnerabilities in code by searching for matches to regular expressions (regex) defined in Rule Analyzer Regular Expressions rules. The system provides these standard regular expressions:
The most effective search for vulnerabilities is to re-run the Rule Analyzer several times, each time matching against a different Regular Expressions rule.
You can supplement the Pega-supplied regular expressions with additional regular expressions you create. See About Regular Expression rules.
To examine details of the report, click the + sign to drill down and display the rules in a rule type displaying a total other than 0. Click the rule to open a separate window showing details for that rule type.
If you export to Excel, the system may display a warning that the file ExportData[1].xls is in a different format than is expected. Click Yes to open the file.
Note that a match to the Rule Analyzer Regular Expressions rule does not guarantee that the result constitutes a vulnerability in the code. You must review the results to determine if any matches are false positives.
regular expression | |
About Regular Expression rules
About the Pega-SecurityVA agent |