Question

6
Replies
657
Views
ABHINANDAN Member since 2011 27 posts
Areteans Technology Solutions
Posted: 3 years ago
Last activity: 3 years ago
Closed

How to ensure that application is compliant with client security checklists

In most of the pega projects at some point client asks for security compliancy check against their security checklist, while doing that we normally refer to "Pega Platform Application Security" standard document, however still we find many things in the client checklist which aren't mentioned in "Pega Platform Application Security doc". for example please see below items

1. Specify proper character sets, such as UTF-8, for all sources of input.

2. Encode data to a common character set before validating (standard form)

3. Validate all client provided data before processing, including all parameters, URLs and HTTP header content (e.g. Cookie names and values). Be sure to include automated post backs from JavaScript, Flash or other embedded code.

4. Determine if the system supports UTF-8 extended character sets and if so, validate after UTF-8 decoding is completed.

5. Verify that header values in both requests and responses contain only ASCII characters.

6. Set the "secure" attribute for cookies transmitted over a TLS connection.

7. Do not expose session identifiers in URLs, error messages or logs. Session identifiers should only be located in the HTTP cookie header. For example, do not pass session identifiers as GET parameters

This are just few of them, there are usually many such items for which we don't find much help anywhere in pdn communities or any document, it's even hard to understand which of this client security checklist items is supposed to handle in pega, and which ones at app server , operating system or infrastructure or network level etc hence not pega's responsibility to handle.

Please inform if any such document or online article is available which will help us answer all this kind of security question asked by client. Frankly I appreciate if pega introduce a online course for such security related stuff which falls outside pega's domain and are at app server or infrastructure level. With this LSA's will be better equipped to answer this kind of security questions.

Regards

Abhi

Security
Moderation Team has archived post
Share this page LinkedIn