Pegasystems permits Pega Cloud Services clients and Pega Cloud for Government clients (hereinafter referred to as "Pega Cloud " clients) to conduct security assessments for applications on Pega Cloud as needed, when Pega Cloud clients perform such assessments within the guidelines described in this article.
Pegasystems permits application-tier vulnerability scanning when Pega Cloud clients need to assess and report on the security of their Pega Cloud-delivered applications, client-directed development, and related services for the purposes of internal audit or compliance programs.
Vulnerability Testing ProcessPrerequisites
Pega Cloud clients must complete the following tasks before engaging in the Vulnerability Testing Process:
- Adhere to the Pega Cloud Vulnerability Testing Policy.
- Validate that the tool or service that you will employ for vulnerability testing is not configured to perform any of the functions described in the Prohibited Activities section of the Vulnerability Testing Policy.
- Secure the deployed applications according to the Security Checklist.
Before clients can begin any vulnerability testing, Pegasystems requires that clients harden the Pega applications that will be tested. For details on application hardening, please review the Security Checklist and complete all the applicable steps.
Again, note that some of the steps in this Checklist do not apply to a Pega Cloud Development and Testing environment. For example, one step states to “set the system production level to 5.” Pega Cloud Development and Testing environments are set to “2” and cannot be changed. Clients must take these factors into account when reviewing vulnerability test results.
- Initiate a Pega Support request.
Authorized contacts for the client submit a service request ticket in the My Support Portal or call the help desk to initiate the process for the a client-led vulnerability scan. Allow at least one business day for notice before the start of a vulnerability scan.
To submit this ticket directly, select New Request in My Support Portal. In this request, choose For something I need and then click Other. For the latest documentation on making requests, see My Support Portal: New Design, Streamlined Features.
Pega Cloud clients who employ allow lists or who limit access for their environments to private networks must include a temporary allow list for the source testing IP addresses in their service request.Clients must provide the following information in this service request:
- Contact details, including email address and office and mobile phone numbers
- Description of the assessment and test cases
- Start and stop dates of the test
- Source IP address of the scanning tool or service
- The Service Request is received.
Global Client Support receives the support request, documents it in our testing calendar, and closes the request. (There is no longer any need for authorization.)
- Provide report to Pega through My Support Portal.
Authorized contacts for the client are required to share an executive summary report (at a minimum) of the results of the vulnerability tests with Pega to help the continuous improvement of cloud services. Pegasystems requests that clients send a full report, if possible. To enter a Service Request to submit this report, select New Request in My Support Portal.
Distribution of the report beyond Pegasystems and the client is subject to mutual written agreement.
Reporting a finding
If the client discovers any vulnerabilities or other security issues which are rated “very high” or “critical” within any Pega Cloud in the course of their security assessment, an authorized contact for the client must report this issue directly to Pegasystems within 24 hours of discovery, by selecting New Request in My Support Portal.
In this request, the client should choose For something I need and then click Other. For the latest documentation on making requests, see My Support Portal: New Design, Streamlined Features.Enter a Short Description of this issue similar to the following:
P1 Vulnerability Finding: <short description of issue>
For example, P1 Vulnerability Finding: activity should require permissions
(This description allows Pega to route this issue to the Cloud Security Operations team as quickly as possible.)
In the full description of the issue, please include:
- Date Issue was Discovered
- Who Discovered
- Contact Information (Who should be contacted about this issue?)
- Contact Information
- Supporting Data and Screen Shots (excluding any sensitive or personally-identifiable information)
Tips for Security Testing
Pega Cloud client's security testing should be a positive experience that efficiently gathers the objective evidence you need, without errors or interruptions. Below are some helpful tips to ensure successful testing:
- Rate limits – Limit scanning to 1Gbps or 10,000 RPS.
- Source Testing IP Addresses – Because of the dynamic nature of cloud environments, verify all IP addresses in test plans prior to the beginning of a test to ensure current ownership of the IP address. Any attempt to test with unauthorized source IPs addresses will be considered a violation of the Pega Cloud Acceptable Use Policy.