SAP Hybris Implementation Review

Often times when I start my work with a new client, one of the first things they want to know is my opinion about their SAP Hybris implementation.
I like to think of it as a medical second opinion “after the fact”. This is especially true when a new person responsible for the e-commerce department comes in and has no real feel for how the system was written by the SI or the in-house IT folks.

SAP Hybris is a fantastic platform that has been named one of the top systems in the e-commerce space. However, as Uncle Ben said “With great power comes great responsibility.”
The out of the box (OOTB) platform is a great starting point and can be used to build a robust solution. Unfortunately, in my experience this has not always been the case.

For clients that have an instance of SAP Hybris, the e-commerce channel is a considerable source of income, thus, it’s understandable that I see an increased interest to have their implementations audited. A full review of the system can provide an assessment and understanding if best practices were followed during SDLC.


When I engage with a customer to review their SAP Hybris implementation, there are several areas that I pay attention to:

A typical engagement takes about 200 to 240 hours to complete, from start to end. Depending on the complexity of the implementation it can go longer.

Here is how I like to segment the work:


Below, please find a more detailed description of items covered during the review:

  1. Overall implementation organization

    • Number of servers (load balancers, web servers, application servers, admin servers, DB servers and SOLR servers. Optionally CIS servers and Datahub)

    • Catalog architecture

    • Catalog synchronizations

    • Product structure (variant levels, variant types, etc.)

    • Price row storage (catalog version aware or not, etc.)

    • Number of sites and relations between them

    • What are the ERP, CRM, OMS used?

    • Which system is the master record keeper for products, prices, inventory, orders and customers.

  2. Overall code organization

    • Code repository, code review, code quality, code testing

    • Integration with critical “internal” components like ERP/CRM/OMS

    • Data imports and exports

    • Testing (unit, integration and automation)

    • Synchronous and asynchronous data flow

  3. Third party integrations

    • Sales tax

    • Payment

    • Address verification

    • Loyalty integrations

    • Email communication

    • DAM (or images and content)

  4. Customer experience

    • Search & SOLR (document structure, indexing and query strategy, SOLR architecture – master/slave)

    • Discounts & promotions

    • Checkout flow and navigation

    • Content management

  5. Site performance

    • Hybris region cache

    • SOLR caching (if applicable)

    • Sales tax performance

    • Static files

    • Partial / full page caching

    • Session data caching

    • Temporary carts purging

    • Execution of task engine

  6. Build and deploy process

    • Building lifecycle

    • Deployment process

    • Continuous integration approach (if any)

    • Code validation upon builds

  7. Infrastructure review

    • Infrastructure components / diagram

    • Server topology

    • OS and memory settings (operating system level, JVM level, etc.)

    • Apache HTTP and Tomcat server configurations

  8. Privacy and security

    • Web application security (i.e. XSS, CSRF and SAP and web application best practices)

    • Access control: lockdown of most super-admins, default users/passwords, granularity access for administration consoles (hmc, backoffice)

    • Password hashing/encryption algorithms

    • Password policies

    • Application logging (is enough information logged and is sensitive information being logged to the files)

    • Credit card data management


If you are interested, please contact me.