Rule Security Analyzer

To make the Pega Platform applications more secure, you can run the Rule Security Analyzer. This tool searches through non-autogenerated rules to find specific JavaScript or SQL coding patterns that might indicate a security vulnerability.

To use the analyzer, you must have the pxSecurityVA privilege in your access group's role. Standard developer roles such as SysAdm4 include this privilege.

Note that:

  • The Rule Security Analyzer tool examines only custom code, not autogenerated rules.
  • Blocked rules are ignored. These rules are identified by the property .pyRuleAvailable = "Blocked".
  • The tool scans rules in your own applications, not rules in standard Pega Platform rulesets.

The Rule Security Analyzer tool searches for vulnerabilities in code by searching for matches to regular expressions that are defined in Rule Analyzer Regular Expressions rules. The system provides the following standard regular expressions:

  • pyCrossSiteScripting
  • pyCrossSiteScriptingFromParam
  • pyCssInLink
  • pyScriptJS
  • pyUnsafeURL

You can supplement these standard regular expressions with regular expressions that you create.