Security Audits in Pega Platform PDF

20/08/2024, 12:42 | Pega Academy Security audits in Pega Platform 4 Topics 1 hr 20 mins Release 1 Pega Platform '23 English Security audits in Pega Platform™ can help you assess the security measures, policies, and procedures of an organization to identify any vulnerabilities or weaknesses that attackers could exploit. The audit might cover physical security, network security, data security, and other aspects. The purpose of a security audit is to provide an objective evaluation of an organization's security and to identify areas of improvement to reduce the risk of security breaches. After completing this module, you should be able to: Review system functions for any potential problems. Monitor security alerts. Describe the Pega best practices for securely deploying applications. Explain security event logs. Available in the following mission: Security Design v4 Contact Us Topics Security auditing To understand how your system functions and be alerted of any potential problems, track the changes to your system. By default, Pega Platform™ tracks many types of security events, such as failed logins, password changes, and changes to Rules and Data. System auditing Pega Platform provides comprehensive Security Information and Event Management (SIEM) features with which you can: Monitor all security-related activity in the system. Create reports that analyze patterns of system usage. Identify patterns of suspicious behavior. Determine the scope of the damage if any vulnerabilities are exploited. https://academy.pega.com/module/security-audits-pega-platform/v1/print 1/11 20/08/2024, 12:42 | Pega Academy Data auditing The Pega Platform History- class supports auditing by capturing all data changes in Rules and Cases. The History- class automatically captures the following updates: For Rules and Cases - changes to the operator ID For standard properties - any changes to field-level tracking Audit user and developer actions In addition to tracking data changes in Rules and cases, you can audit user and developer actions that might affect the security of your application. This information might potentially indicate suspicious behavior by a developer or user. All security events include the following information: Date and time, Application name, Node, IP address, Tenant ID, Operator ID, Event class (authentication or authorization), and Event type. Event types that can be audited In Security Event Configuration, there are 3 types of events you can audit: Authentication events, Data access events, and Security administration events. To access the Security Event Configuration, in the header of Dev Studio, click Configure > Org & Security > Tools > Security > Security Event Configuration. Contact Us Authorization events Authorization events assist developers by tracking: Successful and failed login attempts, Password changes, Session terminations, Logouts, and Changes to operator records. Data access events Data access events assist developers by tracking: Successful attempts to open cases, attempts to open cases if the attempt fails because of security policies, SQL queries to the database, Changes to report filters, Full-text searches. Security administration events Security administration events assists developers by tracking: Changes to security authentication policies Changes to attribute-based access control (ABAC) policies and policy conditions Changes to role-based access control (RBAC), including changes to Rule-Access-Role- Obj (RARO) rules https://academy.pega.com/module/security-audits-pega-platform/v1/print 2/11 20/08/2024, 12:42 | Pega Academy Changes to dynamic system settings Changes to content security policies (CSP) Changes to Access Groups Changes to work queues Invocations of Access Manager OAuth 2.0 events OAuth 2.0 events assist developers by tracking: Token requests, Token revocations, Invalid tokens, API requests, Client Rule form changes, and Dynamic client registration. Field level auditing Field-level auditing enables you to monitor changes to important data values in your cases. From a security perspective, it is useful to track modifications when sensitive data is involved. You can easily configure fields in App Studio or Dev Studio to track changes in a case type. As a result, you can maintain compliance and follow changes to critical information in critical cases. The Rule changes are saved as an instance of the History-Rule class and data instances are saved as an instance of a subclass of the History-Data- Class. When field level auditing is enabled, the following details are captured: the property name, the values added (if any are added), Changed values (the from value and the to value), Changed values (the from value and the to value). Contact Us For aggregate properties, the following details are captured: Two entries when a value is changed: one entry about deleting the prior value and another about adding the new value. Only one level of nested PageList mode properties, because only one level is supported. Nested PageGroup mode properties are not supported. See Auditing changes to aggregate properties for more details. Field-level auditing does not support Data reference, Page group property, Value Group Property, and Value List Property field types. To enable security auditing for a data class or a Rule Type, you need to create a data transform and a declare trigger. For more information, see Enabling security auditing for a data class or Rule Type and Auditing field-level changes to security Rule and data instances. https://academy.pega.com/module/security-audits-pega-platform/v1/print 3/11 20/08/2024, 12:42 | Pega Academy For more information about enabling field-level auditing in Constellation applications, see How to enable field-level auditing for a Constellation based application. For more information about security auditing, see the following topics: Auditing Enabling field-level auditing Tracking and auditing changes to data Note: Enabling auditing tracking on each property causes adverse impacts to the performance of the application. Enable the audit tracking only for the important data fields that are critical for the business. Check your knowledge with the following interaction: This learning is interactive and cannot be experienced offline. Please visit https://academy.pega.com to complete. Contact Us Security Checklist review Pega prioritizes application security and system security. Security is a shared responsibility between Pega and its clients. Every new release of Pega Platform™ enhances the security features that strengthen applications and systems against unauthorized access and safeguard the data that those applications handle. The Security Checklist presents Pega best practices for securely deploying applications. Pega Platform offers several built-in methods to track the status of each Task and displays the overall completion of the checklist on the Dev Studio landing page to help you monitor the completion of the tasks. The following figure shows the Application Guides menu in Dev Studio where you can access the checklist: https://academy.pega.com/module/security-audits-pega-platform/v1/print 4/11 20/08/2024, 12:42 | Pega Academy The Security Checklist offers Pega best practices for the secure deployment of applications. It helps safeguard the confidentiality, integrity, and availability of your application during its production phase. The checklist delineates the optimal timing for each Task, emphasizing when to perform them: At or near the Project's initiation. On an ongoing basis throughout Development. Just before the Deployment phase. By adhering to the Security Checklist, you can proactively address security concerns at the outset, maintain vigilance throughout Development, and prevent costly rework in the later stages of the Development process. The Security Checklist comprises core tasks and additional tasks. Core tasks in the Security Checklist occur during the development and production stages. Contact Us Security is critical, and as a Lead System Architect (LSA), it is your responsibility to maintain the confidentiality, integrity, and availability of your application. Core tasks to perform during development Perform the following actions to define the security of your application during development: Address Security alerts promptly. Examples of security alerts include: SECU0001 - Unexpected properties received in an HTTP request SECU0019 - Unauthorized request detected Securely authenticate attempts to access services. To configure a stronger authentication mechanism that matches your organization’s requirements, use a custom Authentication Service. To build authenticated custom REST services, use a custom Service Package that employs a suitable authentication mechanism in line with your organization’s https://academy.pega.com/module/security-audits-pega-platform/v1/print 5/11 20/08/2024, 12:42 | Pega Academy requirements. Define appropriate roles and privileges to restrict access. Appropriately encrypt data. Encryption is a method to safeguard sensitive data within your application without impacting the functionality of the Pega Platform. Encryption leverages a cipher algorithm to transform readable text (plaintext) into an unreadable secret format (ciphertext). The ciphertext can only be decrypted using the correct encryption key. Review the Application Guardrails landing page weekly and make changes to keep your application Rules in compliance. Core tasks to perform during production Perform the following actions to define the security of your application during the production phase: Set the system production level to 5. Lock Rulesets. Do not deploy checked-out Rules. Block unnecessary roles and operators from production. Secure passwords. Configure application settings and system settings for production. Configure cross-site request forgery (CSRF) settings. Define appropriate Content Security Policies. Contact Us Define appropriate Cross-Origin Resource Sharing (CORS) policies for REST services. Configure logging levels appropriately. Define and map authentication services to the application. Additional tasks The following settings do not apply to all applications but depend on client needs and are application-specific: Password format policies CAPTCHA policies Session lockout policies Login attempt auditing policies Multifactor authentication Operator access policies Configuration of authentication timeouts Secure Database access Audit changes to application data https://academy.pega.com/module/security-audits-pega-platform/v1/print 6/11 20/08/2024, 12:42 | Pega Academy Configuration of security event logging For more information, see Security checklist. Check your knowledge with the following interaction: This learning is interactive and cannot be experienced offline. Please visit https://academy.pega.com to complete. Security alert monitoring Pega Platform™ logs security alerts when it detects a condition that may indicate a security incident. Security alerts are generated in the security alert log (ALERTSECURITY log file) when a Pega Platform server's security is at risk. For example, if someone tries to hijack a user session, Pega Platform generates security alerts, which can be viewed in the security alert log. Security alert codes begin with the letters SECU. A Security Administrator is responsible for regularly reviewing and addressing these security alerts. The alerts include events for: User switching attempts Contact Us Access to restricted activity, stream, or report Unauthorized data access Session hijacking Cross-site request forgery (CSRF) attacks Injection attacks Content Security Policy violations The importance of security alerts Reviewing logs regularly helps you identify malicious attacks on your system. The following table shows an example of some alerts and their descriptions: https://academy.pega.com/module/security-audits-pega-platform/v1/print 7/11 20/08/2024, 12:42 | Pega Academy Alert Description SECU0006 Generated when excessive login attempts are made; this might mean that the system is under a brute force attack or that the user forgot the password. SECU0008 Generated when a cross-site request forgery (CSRF) attack was detected and blocked. SECU0019 Generated when a control issues a request that has not been registered. Pega Platform has properly categorized application alerts, such as for performance alerts, security alerts, database alerts, operations alerts, robotics alerts, and others. To learn more about security alerts, refer to the alerts overview article on Pega Community. To identify security threats before deploying your application to the production environment, it is recommended to configure the application server in your test environment to mirror the production environment. Check your knowledge with the following interaction: Contact Us This learning is interactive and cannot be experienced offline. Please visit https://academy.pega.com to complete. Security event logging In addition to data and rule modification auditing and recording work history, Pega software provides the ability to record security-related events to a file named PegaRULES-SecurityEvent.log. You can access this log file from Dev Studio by clicking Configure > System > Operations > Logs > Log files. https://academy.pega.com/module/security-audits-pega-platform/v1/print 8/11 20/08/2024, 12:42 | Pega Academy Clicking Configure > Org & Security > Tools > Security > Security Event Configuration displays which type of events are recorded. Then, you can enable or disable Custom event logging. Note: The Security Event Configuration allows you to turn only custom events on or off. Contact Us Security event configuration setting does not provide control over when individual custom events are logged. For example, you can define a parameterized When rule used to control whether a step in a data transform or activity step records a custom security event. The When rule parameter can be used to perform a data page-mediated lookup to see whether logging of the custom event has been enabled. Custom event logging can be used to facilitate the fulfillment of client-based access control (CBAC) auditing requirements. It is possible to log a custom event within an activity Java step by using: tools.getSecEventLogger().logCustomEvent(PublicAPI tools, String eventType, String outcome, String message, Map customFlds) Use one of the following parameter values: eventType: Name of the event type to keep track of custom events https://academy.pega.com/module/security-audits-pega-platform/v1/print 9/11 20/08/2024, 12:42 | Pega Academy outcome: The outcome of the event message: Any message that a user needs to log as part of the event. customFlds: A map of key-value pairs that log extra information for the event. However, a better long-term approach is to execute this API with a Rule-Utility-Function as future versions of Pega Platform™ may curtail the use of Java steps in activities. The Pega Community topic Adding a custom security event explains how to record a custom security event by creating a Java step within an activity. It is overly complex to require code that calls a function to supply a StringMap (Map) customFlds parameter. The function can instead accept a text- based ValueGroup property. That ValueGroup property can be converted to a StringMap within the function. The following steps describe how you configure this function. 1. Create a library and function. 2. Have the function accept four parameters (String, String, String, ClipboardProperty). 3. Make the supplied ClipboardProperty a ValueGroup. The function converts the ValueGroup ClipboardProperty to a locally declared Map customFlds variable. PublicAPI tools = null; PRThread thisThread = (PRThread)ThreadContainer.get(); if (thisThread != null) tools = thisThread.getPublicAPI(); else throw new PRAppRuntimeException("Pega-RULES", 0, "Unable to obtain Contact Us current thread"); Map customFldsMap = new HashMap(); java.util.Iterator iter = customFlds.iterator(); while (iter.hasNext()) { ClipboardProperty prop = (ClipboardProperty)iter.next(); customFldsMap.put(prop.getName(), prop.getStringValue()); } tools.getSecEventLogger().logCustomEvent(tools, eventType, outcome, message, customFldsMap); The following code is an example of a custom security event. {"id":"c86a4299-9355-418b-b95d-519f842693d1","eventCategory":"Custom event","eventType":"FooBla","appName":"Booking","tenantID":"shared","ipAd "timeStamp":"Fri 2019 Jul 12, 17:46:05:284","operatorID":"Admin@Booking", "nodeID":"ff9ef7835fd4906aea82694c981938d0","outcome":"Fail","message":"F failed","requestorIdentity":"20190710T213105"} https://academy.pega.com/module/security-audits-pega-platform/v1/print 10/11 20/08/2024, 12:42 | Pega Academy Note: The event category for every custom security event is Custom Event. To enable or disable logging of a specific custom security event type, you need to use the (custom) eventType value as a When rule parameter. The When rule uses the parameter to perform a node-level data page lookup. If the lookup shows that logging of the custom eventType is enabled, the When rule returns true. In turn, the custom security event-logging function (RUF) is called. Check your knowledge with the following interaction: This learning is interactive and cannot be experienced offline. Please visit https://academy.pega.com to complete. Contact Us https://academy.pega.com/module/security-audits-pega-platform/v1/print 11/11

Security Audits in Pega Platform PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue