Question
Centene
US
Last activity: 31 Mar 2016 15:51 EDT
Application Code Security
Enterprise Code Security audits require that the application code is run against any application code security tools like Veracode, CAST, AppScan, etc.
- Did the Pega code base has ever run against such tools? If YES, do we have any document or any official document that can be shared with the audit teams.
- Can we run any of those tools against the Pega Application Code?
Can someone who has experience with this or expertise share their thoughts.
-
Like (0)
-
Share this page Facebook Twitter LinkedIn Email Copying... Copied!
Centene
US
Sorry .. I don't have access to SpyVsSpy
Pegasystems Inc.
US
SpyVsSpy, of which I am a member, is a security team for PRPC development. People will often tag posts with the team name to make sure that we notice, as far as I know you are the first customer to realize that the tag is also a link to the team's private mesh area and click on the link.
Pegasystems Inc.
US
The code base for core PRPC has been run against many tools including AppScan, VeraCode, CLM, BlackDuck, etc. Some of these tools are used by us internally and some of these are even run as part of the build process. Other tools have been run by customers. I would suggest that you work with your Account Executive and GCS to see what can be shared and what you can run against your application.
The code base for core PRPC has been run against many tools including AppScan, VeraCode, CLM, BlackDuck, etc. Some of these tools are used by us internally and some of these are even run as part of the build process. Other tools have been run by customers. I would suggest that you work with your Account Executive and GCS to see what can be shared and what you can run against your application. Most of these scanning tools produce similar results and unfortunately many of the results are false positives not actual issues. The tools producing many false positives is not specific to PRPC it happens for a lot products because of the way that tools operate. Many tools will record the traffic from a user performing normal operations as a baseline and will then replay the normal traffic slightly altered. If during the course of running the slightly altered traffic, the responses from the altered traffic does not match the baseline traffic exactly, the tool records this as a result. Often the result is not an actual issue but an error screen informing a user of invalid input. This results in a high result count, which to those unfamiliar with how these tools work, seems to indicate that there are a multitude of issues. For example, one tool that we ran produced results claiming that it could access 20 admin pages for an application because it had tried 20 URLs with admin appended to them and received page not found errors. If you do run a scan tool, please check that the results and eliminate any false positives that you can before contacting GCS.
Centene
US
Account Executive says Pega doesn't ave any documents to share.
BNY Mellon
US
re: Some of these tools are used by us internally and some of these are even run as part of the build process.
I assume also that these have been run against the rules as well?
(Nonwithstanding the point that many of these tools are ill-suited to Pega code... and this sort of exercise if often done because companies have an enterprise license with code scanners, and there's no apparent added cost to scanning Pega)
Pegasystems Inc.
US
Jon,
You are correct that the tools are also run against the rules, to be precise they are run against the java code that is generated from the rules.
Matt
Centene
US
We understood that the Pega rules(Java Classes) were run against the tools. Do we have any official document which can be shared with the customers?
Pega applications are becoming road blockers for getting the security clearances from security advisers. It would be good & easier for the Pega customers if Pega can share or publish a white paper about its policy which can be used by the customers to get clearance.
Pegasystems Inc.
US
Rajani,
I do not know of any official document which can be shared with customers.
Matt
Updated: 31 Mar 2016 15:51 EDT
Pegasystems Inc.
US
Rajani,
I was referred to one document which I was told is shareable with customers and may answer some of your concerns. The document is attached to this reply.
Matt
-
Yoke Wei Yip Terry Phua