Question

5
Replies
436
Views
 Greg Parks (GPARKS952)
Unitedhealth Group, Inc.
Pega Application Architect
Unitedhealth Group, Inc.
US
GPARKS952 Member since 2014 6 posts
Unitedhealth Group, Inc.
Posted: April 8, 2016
Last activity: October 4, 2016
Posted: 8 Apr 2016 13:42 EDT
Last activity: 4 Oct 2016 11:18 EDT
Closed
Solved

HP Fortify and Pega 7.1.x

Does anyone have experience with using a static code analyzer like HP Fortify and Pega 7.1.x?

I'm guessing there's not a lot of useful results I'd get from this - since most of a Pega application is dynamically generated, right?

Is there anyone who has tried it?  What were the results?

Is there any recommended tools I should use instead?

Is there some "trick" to getting Fortify to look at the generated code?  Is there any value to that?

Message was edited by: Marissa Rogers - Added Category

Security
Moderation Team has archived post, This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.
Posted: 5 years ago
Posted: 12 Apr 2016 16:20 EDT
Conner (ThomasConner)

If you are trying to run analysis on your own application code, then Fortify is perhaps not the right tool to attempt for that, as it is not configured to understand Pega APIs and as you mention, it would require quite a bit of trickery to coerce Fortify to scan the dynamically generated rule code.

The Rule Security Analyzer, which ships with Pega7, has a few scans that work on your custom written code. This finds some of the same vulnerabilities that Fortify looks for, including cross-site scripting, SQL injection, and XML Entity Expansion vulnerabilities.
Posted: 5 years ago
Posted: 6 May 2016 16:42 EDT
Greg Parks (GPARKS952)
Unitedhealth Group, Inc.
Pega Application Architect
Unitedhealth Group, Inc.
US

Well, I've learned what I can -- and convinced our internal security team that Fortify is not applicable;

However, that leaves me with the question: what can I do -- or what has Pega themselves done -- to scan for security vulnerabilities?

That is, does Pega provide any documentation, or any "certification" that certain security practices are always followed, that a Pega server (I'm thinking primarily 7.1.x or 7.2) is secure to a certain level of confidence?

Accepted Solution

Posted: 5 years ago
Posted: 6 May 2016 17:40 EDT
Marty Solomon (SOLOM)
PEGA
Senior Director Software Security Architecture
Pegasystems Inc.
US

No 'certification' exists.  Have you seen our security white paper?  It is available through your account rep.  It covers many topics related to security and includes a description of the many ways we test and assess our software for security vulnerabilities throughout the development lifecycle.
Posted: 4 years ago
Posted: 4 Oct 2016 11:18 EDT
Kyler Evans (KylerE43)
Scotiabank

Scotiabank
CA

I'm just going link in this discussion to close the loop. It is possible to scan the Pega generated code using Fortify. The way we implemented it was to use an isolated environment to run a specific app, walk the app through its flows, then capture the generated code from the PRGenJava folder.


https://pdn.pega.com/community/pega-product-support/question/running-fortify-scans-against-pega-generated-code


The results of this type of scan gave us the ability to see the security posture of the dynamic code which is actually used, vs the rule analyzer which i believe looks at the custom user developed code.