You are here: Reference > Tools, accelerators, and wizards > Rule Security Analyzer

About the Rule Security Analyzer

To help you make your PRPC applications more secure, you can run the Rule Security Analyzer. This tool searches through non-autogenerated rules to find specific JavaScript or SQL coding patterns that may indicate a security vulnerability.

To use the analyzer, you need to have the pxSecurityVA privilege in your access group's role. Standard developer roles such as SysAdm4 include this privilege.

Note that:

The Analyzer examines only custom code, not autogenerated rules. For example, the tool examines only those flow actions and sections for which the Auto Generated HTML check box on the HTML tab is not selected.
Blocked rules are ignored. These rules are identified by the property .pyRuleAvailable = "Blocked". Deprecated rule types are also ignored, as deprecated rules are marked as blocked.
The tool scans rules in your own applications, not rules in standard Pega- RuleSets.

To access the tool, select > Org and Security > Tools > Security > Rule Security Analyzer. The Search Criteria form appears in a new window.

Completing the Search Criteria form

The form has seven fields, two of which are required. The other fields let you restrict the analysis to a particular subset of the application's rules and code.

Field	Description
RuleSets	Select one or more RuleSets to analyze.
Rule Types	Optional. You can choose one or more rule types within the chosen RuleSet(s) to scan; or make no selection, in which case the tool scans all rule types.
Expression	Select the regular expressions rule to use. See Regular Expressions, below.
RuleSet Version	Optional. Leave the field blank to have the tool analyze all versions. To limit the analysis, enter major version only ("05"); major and minor version ("05-05"); or major version, minor version, and patch ("05-05-50").
Highest Version Only	Select True to scan only the highest version of each rule; select False to scan all versions.
Updated Since	Optional. Leave the field blank to not limit the analysis by date. To scan only rules updated after a certain date and time, click the calendar button and enter the date and time to use.
Also list activities that may start unauthenticated	If checked, the scan analyzes activities which have May start? checked and Authenticate? unchecked on the Security tab of the Activity rule form.

When you have completed your settings, click Run, or Run and Export all to Excel.The system runs and displays a summary view of the results. See Analyzing the results, below.

Regular expressions

The Rule Analyzer searches for vulnerabilities in code by searching for matches to regular expressions (regex) defined in Rule Analyzer Regular Expressions rules. The system provides these standard regular expressions:

pyCrossSiteScripting
pyCrossSiteScriptingFromParam
pyCssInLink
pyScriptJS
pyUnsafeURL

The most effective search for vulnerabilities is to re-run the Rule Analyzer several times, each time matching against a different Regular Expressions rule.

You can supplement the Pega-supplied regular expressions with additional regular expressions you create. See About Regular Expression rules.

Analyzing the results

To examine details of the report, click the + sign to drill down and display the rules in a rule type displaying a total other than 0. Click the rule to open a separate window showing details for that rule type.

If you export to Excel, the system may display a warning that the file ExportData[1].xls is in a different format than is expected. Click Yes to open the file.

Note that a match to the Rule Analyzer Regular Expressions rule does not guarantee that the result constitutes a vulnerability in the code. You must review the results to determine if any matches are false positives.

	regular expression
	About Regular Expression rules About the Pega-SecurityVA agent

Tools — Organization and Security

Open topic with navigation