Question

5
Replies
418
Views
Close popover
Greg Parks (GPARKS952)
Unitedhealth Group, Inc.
Pega Application Architect
Unitedhealth Group, Inc.
US
View ProfileSend Message
GPARKS952 Member since 2014 5 posts
Unitedhealth Group, Inc.
Posted: April 8, 2016
Last activity: October 4, 2016
Closed
Solved

HP Fortify and Pega 7.1.x

Does anyone have experience with using a static code analyzer like HP Fortify and Pega 7.1.x?

I'm guessing there's not a lot of useful results I'd get from this - since most of a Pega application is dynamically generated, right?

Is there anyone who has tried it?  What were the results?

Is there any recommended tools I should use instead?

Is there some "trick" to getting Fortify to look at the generated code?  Is there any value to that?

Message was edited by: Marissa Rogers - Added Category

Security
Close popover
Moderation Team has archived post
Posted: 4 years ago
Close popover
Conner (ThomasConner)

View ProfileSend Message

If you are trying to run analysis on your own application code, then Fortify is perhaps not the right tool to attempt for that, as it is not configured to understand Pega APIs and as you mention, it would require quite a bit of trickery to coerce Fortify to scan the dynamically generated rule code.

The Rule Security Analyzer, which ships with Pega7, has a few scans that work on your custom written code. This finds some of the same vulnerabilities that Fortify looks for, including cross-site scripting, SQL injection, and XML Entity Expansion vulnerabilities.

Posted: 4 years ago
Close popover
Greg Parks (GPARKS952)
Unitedhealth Group, Inc.
Pega Application Architect
Unitedhealth Group, Inc.
US
View ProfileSend Message

Well, I've learned what I can -- and convinced our internal security team that Fortify is not applicable;

However, that leaves me with the question: what can I do -- or what has Pega themselves done -- to scan for security vulnerabilities?

That is, does Pega provide any documentation, or any "certification" that certain security practices are always followed, that a Pega server (I'm thinking primarily 7.1.x or 7.2) is secure to a certain level of confidence?

Accepted Solution

Posted: 4 years ago
Close popover
Marty Solomon (SOLOM)
PEGA
Senior Director Software Security Architecture
Pegasystems Inc.
US
View ProfileSend Message

No 'certification' exists.  Have you seen our security white paper?  It is available through your account rep.  It covers many topics related to security and includes a description of the many ways we test and assess our software for security vulnerabilities throughout the development lifecycle.

Posted: 4 years ago
Close popover
Kyler Evans (KylerE43)
Scotiabank

Scotiabank
CA
View ProfileSend Message

I'm just going link in this discussion to close the loop. It is possible to scan the Pega generated code using Fortify. The way we implemented it was to use an isolated environment to run a specific app, walk the app through its flows, then capture the generated code from the PRGenJava folder.


https://pdn.pega.com/community/pega-product-support/question/running-fortify-scans-against-pega-generated-code


The results of this type of scan gave us the ability to see the security posture of the dynamic code which is actually used, vs the rule analyzer which i believe looks at the custom user developed code.
Share this page Share via LinkedIn Copying...
Copied!