Hi,

The OWASP Top 10 Vulnerabilities are:

•  A1 Injection.

•  A2 Broken Authentication and Session Management.

•  A3 Cross-Site Scripting (XSS)

•  A4 Insecure Direct Object References.

•  A5 Security Misconfiguration.

•  A6 Sensitive Data Exposure.

•  A7 Missing Function Level Access Control.

•  A8 Cross-Site Request Forgery (CSRF)

Assessment Tools

There are many tools available to do the Vulnerability Assessment - examining code, rules, and configuration, data etc;

The following are vulnerability assessment tools and it is important  to choose the right tool according to the scope of coverage and requirement. And also security audit should be done before release testing so that we will get time to get it fixed if there are any platform threats.

Pega Security Vulnerability Assessment Tools

  1. PegaFuzz

  2. Rule Security Analyzer

  3. If you need to assess the other security vulnerabilities which are not covered as part of the above Pega tools.

   AppScan

   Burp Suite

   OWASP ZAP

   SOAPUI

   JavaSnoop

All these tools allow to use either automation or manual testing to assess the features.

Pega Fuzz

•PegaFuzz is a tool, It takes a Fiddler-recorded PRPC scenario and plays it back while modifying input parameter values to contain attack payloads. 

•The resulting PRPC responses are examined to determine if PRPC processes the payloads appropriately such that the security of the application and browser are not breached. When PegaFuzz detects asecurity vulnerability it identifies the offending rule for you to fix.

•For this process we need to use Fiddler and Spy Vs. Spy

•The Fiddler tool is used to capture the network traffic in a file .saz

•The Spy Vs. Spy tool ( http://sengwin246)to used to audit for the vulnerabilities.

•This tool will attempt to find any of the following vulnerabilities that an attacker may be able to use.

–XSS

–SQLi

–So choose this tool if scope of the audit is XSS and SQLi

Rule Security Analyzer

This tool searches through non-auto generated rules to find specific JavaScript or SQL coding patterns that may indicate a security vulnerability

The Rule Analyzer searches for vulnerabilities in code by searching for matches to regular expressions (regex) defined in Rule Analyzer Regular Expressions rules.

The system provides these standard regular expressions:

  pyCrossSiteScripting ,pyCrossSiteScriptingFromParam, pyCssInLink,

  pyScriptJS, pyUnsafeURL, pyCrossSiteScriptingActiveValue

  pySQLInjection,   pyXMLExternalEntity, pySystemCall, pyDispatcherPattern

So choose this tool if the security audit scope is to audit JS or SQLi

Rule Security Analyzer can be accessed and configured from Designer Studio - > Org & Security -> Tools -> Security

Other Tools

We need to use other tools if the scope of security audit is to audit all the OWASP top 10 vulnerabilities (Most of the customers uses these following tools for security audit)

• IBM AppScan
• ​Burp Suite
• OWASP ZAP
• SOAPUI
• JavaSnoop
• Veracode