Posted: 6 Jun 2018 23:38 EDT Last activity: 22 Aug 2019 7:29 EDT
Information on Pega platform vulnerability assessment
We have received a question from a customer regarding vulnerability assessment conducted for Pega platform. Specifically they would like to know if such assessments are performed before Pega product release and does the assessment include checking against OWASP Top 10 list.
***Edited by Moderator Marissa to update platform capability tags****
Hi Lochana, thank you for the PDN article. Although it is helpful, it does not explain what Pega does as part of vulnerability assessment/penetration testing to make sure Pega platform is secure, especially against OWASP Top 10 security risks.
• A2 Broken Authentication and Session Management.
• A3 Cross-Site Scripting (XSS)
• A4 Insecure Direct Object References.
• A5 Security Misconfiguration.
• A6 Sensitive Data Exposure.
• A7 Missing Function Level Access Control.
• A8 Cross-Site Request Forgery (CSRF)
There are many tools available to do the Vulnerability Assessment - examining code, rules, and configuration, data etc;
The following are vulnerability assessment tools and it is important to choose the right tool according to the scope of coverage and requirement. And also security audit should be done before release testing so that we will get time to get it fixed if there are any platform threats.
Pega Security Vulnerability Assessment Tools
2. Rule Security Analyzer
3. If you need to assess the other security vulnerabilities which are not covered as part of the above Pega tools.
All these tools allow to use either automation or manual testing to assess the features.
•PegaFuzz is a tool, It takes a Fiddler-recorded PRPC scenario and plays it back while modifying input parameter values to contain attack payloads.
•The resulting PRPC responses are examined to determine if PRPC processes the payloads appropriately such that the security of the application and browser are not breached. When PegaFuzz detects asecurity vulnerability it identifies the offending rule for you to fix.
•For this process we need to use Fiddler and Spy Vs. Spy
•The Fiddler tool is used to capture the network traffic in a file .saz