Question

1
Replies
514
Views
 Saritha Somasundaram (somas2)
PEGA
Senior Solutions Consultant
Pegasystems Inc.
US
somas2 Member since 2018 1 post
PEGA
Posted: June 7, 2019
Last activity: June 7, 2019
Posted: 7 Jun 2019 10:34 EDT
Last activity: 7 Jun 2019 16:02 EDT
Closed

Security Code Review tools for Pega Applications

What options and tools are available to perform security code reviews on Pega applications?

(Specifically looking for tools used in implementations, I was able to find information published on application security, vulnerabilities scanning, guardrails, Rule Security Analyzer etc.. )

***Edited by Moderator Marissa to update platform capability tags****

Security
Moderation Team has archived post, This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.
Posted: 2 years ago
Posted: 7 Jun 2019 12:53 EDT
Nandita Das (dasn1)
PEGA
Senior Technical Solutions Engineer
Pegasystems Inc.
IN

Hi,

I don't think there is any dedicated tool which can be run on Pega applications. As you have mentioned that you are aware of Rule Security Analyzer.This tool searches through non-autogenerated rules to find specific JavaScript or SQL coding patterns that may indicate a security vulnerability. (will not operate on rules in standard Pega- Rulesets).


Also during runtime, you can make use of PegaALERTS log which would log few SECUXXX alerts based on the different security use-cases. (like invalid chars detected, CSRF attack detected and many others)


Refer to Security alerts section for the list of alerts and individual alert details 


https://community.pega.com/knowledgebase/articles/performance-alerts-security-alerts-and-autonomic-event-services


Hope this helps!


Thank You,