To address vulnerabilities related to the OWASP A3_2017-Sensitive_Data_ directive

GuiValino1984 · March 13, 2025, 12:26am

Hello All, hope you’re all doing well.

We are currently facing an issue that still isn’t very clear on how to resolve, even after raising a support ticket with Pega.

According to our security team, the Pega applications have a vulnerability gap related to the OWASP A3_2017-Sensitive_Data_ directive.

A test was conducted using the Pentest tool, and it was identified that when filling out a form in one of our applications, the information becomes visible. By using browser debugging tools, we can see, as shown in the attached image, in the Network tab, the content of the form request payload in plain text.

According to our security team, this information must be encrypted or masked. We understand that applying the Data Encryption configuration within the platform will be sufficient for addressing the issue of data storage in the database. However, regarding this point of the web form and communication with the backend for processing, it doesn’t seem feasible—or am I mistaken? I need an idea, some guidance, to help resolve this issue

Regards.

MarijeSchillern · March 13, 2025, 2:17pm

@GuiValino1984 please can you confirm the support ticket you raised for this issue?

Ticket INC-C11560 (To address vulnerabilities related to the OWASP A3_2017-Sensitiv) is still open and you were given the following update:

The data captured from the browser network trace is in plain text.
This data is transmitted via HTTPS and is encrypted using a public certificate key.
Only the server possessing the private certificate key can decrypt this data.

Pentest tools typically employ what is known as a man-in-the-middle attack, such as Burp Suite.

This tool establishes a proxy and launches a browser that connects to this proxy. When the browser accesses a website, the proxy can read the data in plain text by substituting the actual certificate with its own.

Additionally, please review this article from Pega:

Fortifying Pega Cloud Applications: A Comprehensive Security Guide | Support Center

Mitigating common security vulnerabilities

Securing and auditing data

Your Client Success Manager, has opened a Client Inquiry for you and they will make contact with you for any official answer required.

MichaelF_GCS · March 13, 2025, 2:18pm

@GuiValino1984

An answer has already been provided in INC-C11560. If you have further questions, please update the INC.

Thank you.

Michael

Conversation		Replies	Views
Encrypt data using Attribute-Based Access Control (ABAC) Knowledge Share account-executive , consulting-solution-executive , pega-delivery-leader , sales-consultant , sales-manager , senior-system-architect , business-architect , solutions-consultant , solutions-consulting-manager , solutions-engineer , system-architect , lead-system-architect , experience-designer , citizen-developer , team-lead , ui-solutions-developer , low-code-app-development , reporting , security , system-administration , case-management , cloud-services , data-integration , devops , project-delivery , enterprise-application-development , data-management , data-model , financial-services , manufacturing , government , insurance , cross-industry , other-industry , consumer-services , communications-and-media , healthcare-and-life-sciences , all-products , pega-infinity , system-cloud-ops-administrator , dev-designer-studio	14	2269	January 13, 2026
PEGA de-identification capabiltiy Blueprint and App Design citizen-developer , enterprise-application-development , financial-services , 8-7-3	1	65	February 7, 2023
Masking customer sensitive PII data over the PegaRules logs -Feasibility check on customizing prlog4j2.xml Pega-as-a-Service senior-system-architect , security , system-administration , case-management , cloud-services , installation-and-deployment , performance , pega-cloud , data-management , financial-services , pega-infinity , dev-designer-studio	1	315	July 3, 2024
Mask data using Attribute-Based Access Control (ABAC) Knowledge Share user-experience , pega-delivery-leader , sales-consultant , sales-manager , senior-system-architect , business-architect , solutions-consultant , solutions-consulting-manager , solutions-engineer , system-architect , lead-system-architect , experience-designer , citizen-developer , team-lead , ui-solutions-developer , low-code-app-development , security , system-administration , case-management , data-integration , enterprise-application-development , financial-services , manufacturing , government , insurance , cross-industry , other-industry , consumer-services , communications-and-media , healthcare-and-life-sciences , 8-8-4 , system-cloud-ops-administrator , dev-designer-studio	4	1956	August 7, 2025
How to get a response from Pega on pentest findings General system-architect , security , other-industry , 8-7-2	2	153	August 26, 2022

To address vulnerabilities related to the OWASP A3_2017-Sensitive_Data_ directive

Related topics