Question
Areteans Technology Solutions
IN
Last activity: 12 Sep 2017 10:01 EDT
How to ensure that application is compliant with client security checklists
In most of the pega projects at some point client asks for security compliancy check against their security checklist, while doing that we normally refer to "Pega Platform Application Security" standard document, however still we find many things in the client checklist which aren't mentioned in "Pega Platform Application Security doc". for example please see below items
1. Specify proper character sets, such as UTF-8, for all sources of input.
2. Encode data to a common character set before validating (standard form)
3. Validate all client provided data before processing, including all parameters, URLs and HTTP header content (e.g. Cookie names and values). Be sure to include automated post backs from JavaScript, Flash or other embedded code.
4. Determine if the system supports UTF-8 extended character sets and if so, validate after UTF-8 decoding is completed.
5. Verify that header values in both requests and responses contain only ASCII characters.
6. Set the "secure" attribute for cookies transmitted over a TLS connection.
7. Do not expose session identifiers in URLs, error messages or logs. Session identifiers should only be located in the HTTP cookie header. For example, do not pass session identifiers as GET parameters
In most of the pega projects at some point client asks for security compliancy check against their security checklist, while doing that we normally refer to "Pega Platform Application Security" standard document, however still we find many things in the client checklist which aren't mentioned in "Pega Platform Application Security doc". for example please see below items
1. Specify proper character sets, such as UTF-8, for all sources of input.
2. Encode data to a common character set before validating (standard form)
3. Validate all client provided data before processing, including all parameters, URLs and HTTP header content (e.g. Cookie names and values). Be sure to include automated post backs from JavaScript, Flash or other embedded code.
4. Determine if the system supports UTF-8 extended character sets and if so, validate after UTF-8 decoding is completed.
5. Verify that header values in both requests and responses contain only ASCII characters.
6. Set the "secure" attribute for cookies transmitted over a TLS connection.
7. Do not expose session identifiers in URLs, error messages or logs. Session identifiers should only be located in the HTTP cookie header. For example, do not pass session identifiers as GET parameters
This are just few of them, there are usually many such items for which we don't find much help anywhere in pdn communities or any document, it's even hard to understand which of this client security checklist items is supposed to handle in pega, and which ones at app server , operating system or infrastructure or network level etc hence not pega's responsibility to handle.
Please inform if any such document or online article is available which will help us answer all this kind of security question asked by client. Frankly I appreciate if pega introduce a online course for such security related stuff which falls outside pega's domain and are at app server or infrastructure level. With this LSA's will be better equipped to answer this kind of security questions.
Regards
Abhi
Pegasystems
IN
We are adding a "Application Security Guide" that covers all the things we think are needed to secure applications. This is coming in 7.3.1. Thanks for your list, we will go through them and add to our guide.
Areteans Technology Solutions
IN
Thanks Srikanth for prompt response.
I hope this document of yours is different from "Pega Platform Application Security" doc which we already have.
Can you please let me know any tentative date when it is coming out, actually we are currently working on a pega marketing project on base pega 7.1.7 and in urgent need of one such document, don't want to push, but will really appreciate if we can have it now :) .
Additionally as I mentioned above list is not at all an exhaustive one, have many such requirements, if you want can forward you that.
Regards
Abhi
Pegasystems Inc.
US
The Application Security Guide in 7.3.1 that Srikanth refers to is not a new version of the Security Checklist PDN article. It instead takes the content of that article and puts it into an instance of the Application Guideline ruletype introduced in 7.3.
The intent is to provide a single summary of security best practices for securing an application in production, with a simple interface that is integrated directly into Designer Studio (a copy of the rule is automatically created for every application version), that is highly visible (a summary of which tasks have been done and remain to be done appears on the Home page and on the Guardrails landing page), and where the tasks are auditable (the checklist shows when and by whom each task was checked off, and you can easily create user stories from the tasks to track status and completion in more detail). Each task links directly to a landing page, PDN article, or Help topic to provide more information and instructions.
Marty Solomon and I are the gatekeepers for what tasks will be considered best practices and worth including in the checklist. We'll be reviewing the above items and would love to get more from you. We want this to be the one source with the best advice for all - Engineering, Field Services, partners, and customers. I'll contact you soon to review.
Updated: 11 Sep 2017 4:17 EDT
Areteans Technology Solutions
IN
Thanks GUYOM for the info.
If the said document is going to have the content of Security Checklist PDN article then I think there is no hurry in getting the document as we can refer to the article.
However if that document intends to address all the security checklist which I am talking that client asks for then that's something I am really lookng forward for, I am sharing you the list of security checklist for my current client straightaway which we are having hard time to fill using any article we have in PDN.
Any assistance in this regard at the earliest will be much appreciated.
** Please note as the attached is a client document request you keep it between Pega and ericsson.
Regards
Abhi
***Updated by moderator: Lochan to remove file attachment as it contains proprietary information***
Pegasystems Inc.
IN
Hi Abhi,
Since this client document might hold proprietary information, I have taken it off the post. I will start a PDN Private Message for you to share the details.
Regards,