Luchian Software Consulting

SAP Hybris Implementation Review

Often times when I start my work with a new client, one of the first things they want to know is my opinion about their SAP Hybris implementation.
I like to think of it as a medical second opinion “after the fact”. This is especially true when a new person responsible for the e-commerce department comes in and has no real feel for how the system was written by the SI or the in-house IT folks.

SAP Hybris is a fantastic platform that has been named one of the top systems in the e-commerce space. However, as Uncle Ben said “With great power comes great responsibility.”
The out of the box (OOTB) platform is a great starting point and can be used to build a robust solution. Unfortunately, in my experience this has not always been the case.

For clients that have an instance of SAP Hybris, the e-commerce channel is a considerable source of income, thus, it’s understandable that I see an increased interest to have their implementations audited. A full review of the system can provide an assessment and understanding if best practices were followed during SDLC.

Approach

When I engage with a customer to review their SAP Hybris implementation, there are several areas that I pay attention to:

Overall implementation organization
Overall code organization
Third party integrations
Some customer experience areas (as I am not a UX specialist)
Site performance
Build and deploy process
Infrastructure review
Privacy and security audit

A typical engagement takes about 200 to 240 hours to complete, from start to end. Depending on the complexity of the implementation it can go longer.

Here is how I like to segment the work:

First week I go through any business and technical documentation available, at the same time I prepare the schedule for next weeks depending on the document discovery.
Second week I spend onsite interviewing team members.
Week 3 and 4 I spend remotely with access to some of the team members to answer questions that pop up.
Last couple of days of the engagement for the final presentation, I either visit the office again or I present it remotely.

Details

Below, please find a more detailed description of items covered during the review:

Overall implementation organization
- Number of servers (load balancers, web servers, application servers, admin servers, DB servers and SOLR servers. Optionally CIS servers and Datahub)
- Catalog architecture
- Catalog synchronizations
- Product structure (variant levels, variant types, etc.)
- Price row storage (catalog version aware or not, etc.)
- Number of sites and relations between them
- What are the ERP, CRM, OMS used?
- Which system is the master record keeper for products, prices, inventory, orders and customers.
Overall code organization
- Code repository, code review, code quality, code testing
- Integration with critical “internal” components like ERP/CRM/OMS
- Data imports and exports
- Testing (unit, integration and automation)
- Synchronous and asynchronous data flow
Third party integrations
- Sales tax
- Payment
- Address verification
- Loyalty integrations
- Email communication
- DAM (or images and content)
Customer experience
- Search & SOLR (document structure, indexing and query strategy, SOLR architecture – master/slave)
- Discounts & promotions
- Checkout flow and navigation
- Content management
Site performance
- Hybris region cache
- SOLR caching (if applicable)
- Sales tax performance
- Static files
- Partial / full page caching
- Session data caching
- Temporary carts purging
- Execution of task engine
Build and deploy process
- Building lifecycle
- Deployment process
- Continuous integration approach (if any)
- Code validation upon builds
Infrastructure review
- Infrastructure components / diagram
- Server topology
- OS and memory settings (operating system level, JVM level, etc.)
- Apache HTTP and Tomcat server configurations
Privacy and security
- Web application security (i.e. XSS, CSRF and SAP and web application best practices)
- Access control: lockdown of most super-admins, default users/passwords, granularity access for administration consoles (hmc, backoffice)
- Password hashing/encryption algorithms
- Password policies
- Application logging (is enough information logged and is sensitive information being logged to the files)
- Credit card data management

Luchian Software Consulting

SAP Hybris Implementation Review

Approach

When I engage with a customer to review their SAP Hybris implementation, there are several areas that I pay attention to:

Overall implementation organization

Overall code organization

Third party integrations

Some customer experience areas (as I am not a UX specialist)

Site performance

Build and deploy process

Infrastructure review

Privacy and security audit

A typical engagement takes about 200 to 240 hours to complete, from start to end. Depending on the complexity of the implementation it can go longer.

Here is how I like to segment the work:

First week I go through any business and technical documentation available, at the same time I prepare the schedule for next weeks depending on the document discovery.

Second week I spend onsite interviewing team members.

Week 3 and 4 I spend remotely with access to some of the team members to answer questions that pop up.

Last couple of days of the engagement for the final presentation, I either visit the office again or I present it remotely.

Details

Below, please find a more detailed description of items covered during the review:

Overall implementation organization

Number of servers (load balancers, web servers, application servers, admin servers, DB servers and SOLR servers. Optionally CIS servers and Datahub)

Catalog architecture

Catalog synchronizations

Product structure (variant levels, variant types, etc.)

Price row storage (catalog version aware or not, etc.)

Number of sites and relations between them

What are the ERP, CRM, OMS used?

Which system is the master record keeper for products, prices, inventory, orders and customers.

Overall code organization

Code repository, code review, code quality, code testing

Integration with critical “internal” components like ERP/CRM/OMS

Data imports and exports

Testing (unit, integration and automation)

Synchronous and asynchronous data flow

Third party integrations

Sales tax

Payment

Address verification

Loyalty integrations

Email communication

DAM (or images and content)

Customer experience

Search & SOLR (document structure, indexing and query strategy, SOLR architecture – master/slave)

Discounts & promotions

Checkout flow and navigation

Content management

Site performance

Hybris region cache

SOLR caching (if applicable)

Sales tax performance

Static files

Partial / full page caching

Session data caching

Temporary carts purging

Execution of task engine

Build and deploy process

Building lifecycle

Deployment process

Continuous integration approach (if any)

Code validation upon builds

Infrastructure review

Infrastructure components / diagram

Server topology

OS and memory settings (operating system level, JVM level, etc.)

Apache HTTP and Tomcat server configurations

Privacy and security

Web application security (i.e. XSS, CSRF and SAP and web application best practices)

Access control: lockdown of most super-admins, default users/passwords, granularity access for administration consoles (hmc, backoffice)

Password hashing/encryption algorithms

Password policies

Application logging (is enough information logged and is sensitive information being logged to the files)

Credit card data management

Contact

If you are interested, please contact me.