Question
Deutsche Post AG
DE
Last activity: 26 Aug 2022 4:45 EDT
How to get a response from Pega on pentest findings
We had a pentest done and found vulnerabilities. I reported them in SR-117509. And pega was reacting to the findings.
We did a retest. Unfortunately two vulnerabilities are still open. I reported them to Pega 9 days ago. But I haven't got any reaction from Pega to this. I started raising the findings as security incidents. Still no answer.
What can I do to have somebody in Pega closing those vulnerabilities?
***Edited by Moderator Marije to add Support Case Details; **
Accepted Solution
Updated: 26 Aug 2022 4:45 EDT
Pegasystems Inc.
GB
Hello @MichaelK1674 many thanks for alerting us to this issue.
I have checked the ticket SR-117509 which was reopened once you found the security issues. It was originally logged to notify the cloud team of your intended security tests.
I can see it was reopened once you found some issues. I believe that the correct support ticket to be referencing for the actual product investigation into your pentest results is INC-236134 which is also still open. That INC-236134 is a better ticket as it deals with a product issue, rather than a cloud service request.
I can shed some light on some of your concerns:
1. With regard to your concern about ckeditor 4.7.1 being out of date, please take a look at our response in this forum question: CKEEditor and Fusion Charts.
I can see that you have an open support ticket to help answer that question: INC-237977
2. With regard to your concerns about 'The jQuery libraries in use are deprecated' , please take a look at our response in this forum question: Can we upgrade JQuery and JQuery UI libraries in 8.2.8 to latest versions.
Hello @MichaelK1674 many thanks for alerting us to this issue.
I have checked the ticket SR-117509 which was reopened once you found the security issues. It was originally logged to notify the cloud team of your intended security tests.
I can see it was reopened once you found some issues. I believe that the correct support ticket to be referencing for the actual product investigation into your pentest results is INC-236134 which is also still open. That INC-236134 is a better ticket as it deals with a product issue, rather than a cloud service request.
I can shed some light on some of your concerns:
1. With regard to your concern about ckeditor 4.7.1 being out of date, please take a look at our response in this forum question: CKEEditor and Fusion Charts.
I can see that you have an open support ticket to help answer that question: INC-237977
2. With regard to your concerns about 'The jQuery libraries in use are deprecated' , please take a look at our response in this forum question: Can we upgrade JQuery and JQuery UI libraries in 8.2.8 to latest versions.
jquery has been upgraded to 3.6.0 and jquery UI to 1.13.1 in Pega 8.7.1 So either on 8.7.1 or 8.7.2 you should be on jquery version 3.6.0. Now the question is what went wrong as it should be 3.6.0. The investigation will require evidence that 3.2.1 is still there - I can see that you have logged INC-237837 where support is helping investigate this particular issue.
Also, can you please confirm that you checked the following document which contains complete instructions on security testing requirements?
https://docs-previous.pega.com/pega-cloud/cloud/vulnerability-testing-policy-applications-pega-cloud
Deutsche Post AG
DE
@MarijeSchillern Thanks for your help. I can confirm that we were looking for the instructions on security testing and therefore we choose staging-environment, we announced the test and I handed over the result.
After rising this question I got a response on a short notice - after I was not able to get any reaction on security findings for 9 days. At present I am trying to arrange a meeting between the pentester and pega support. Pentester proposed several dates. Hopefully at least one will be convinient for Pega support.
I don't want to go into details in the public of security findings in our pega cloud installation. Therefore you may close this question.