Thursday, December 14, 2023

Pega Security check list

  1. Guardrails
  2. Security alerts log
  3. Service package should be authenticated (at least basic auth + TLS)
  4. Appropriate roles + RAROS + AccessWhens + Privileges 
    • Secure Activities, flow actions, visibility through privileges
  5. Always perform server side validation
    • Data validations 
    • Attachments at certain assignment
    • Etc.
  6. Encryption
  7. Lock application and rulesets
  8. Do not deploy checkout rules
  9. Do not include operator records in Production, Block unused operators in PROD. Disable PRServlet servlet in PROD
  10. CSRF
  11. CORS
  12. CSP
  13. Appropriate logging levels
  14. Password hashing: bcrypt algorithm
  15. Authentication timeout
  16. Field level auditing
  17. Security events
  18. Client based access control : what application data is subject to data privacy regulations like GDPR and how access to that data will be handled.
  19. Secure file uploads:
  20. XML/AllowDocTypes dynamic system setting is set to false.


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)