The foundation of a successful digital commerce business is a secure eCommerce platform. Cyber security involves conformity of protocols, intelligent detection of security loopholes, and proactive monitoring of systems. The security measures will span across browsers, applications, networks, and servers.
eCommerce security is built on three pillars: privacy, integrity, and authentication. In terms of cybersecurity, we can consider the following as the most important elements
- Secured Architecture -Application security, secure communication and data encryption
- Security Management – Administrative user access management, patch management
- Incident, threat and vulnerability management – continuous monitoring , vulnerability scanning and intrusion detection
- Data governance and legal compliance – Data protection management
- Cloud Continuity Management – IT service Continuity management
I. Web Application security
Password Authentication and policies
SAP Commerce comes with a preconfigured, default set of users for use during development and demonstration. For security reasons, all default users are disabled and come with no preconfigured passwords. Only the main Administrator user password needs to be set beforehand to be able to build and initialize the system. Define a temporary password initially to allow you to start SAP Commerce and get access to these systems (using Local. Properties file), then set a permanent, secure password for this user and any additional users and roles you may need once you log in.
SAP Commerce Platform always stores passwords in an encoded format, and it support multiple encoding strategies (known as password encoders). In addition, Business can implement its own strategies too. Currently, the SAP Commerce Platform ships with the following secure encoding strategies:
- Plain text: not safe, kept for backward compatibility
- MD5: not safe, kept for backward compatibility
- PBKDF2: the strongest algorithm (default strategy in SAP Commerce)
SAP Commerce comes with two out-of-the-box password security policies called Regex and blocklist. Regex prevents users from using passwords that could be too easy to crack. Blocklist bans the most common passwords. You can implement your own policies too. SAP Commerce provides customizable extension points that enable fine-grained control of password handling
Data Protection and Privacy
SAP Commerce Cloud provides features to support compliance with relevant legal requirements surrounding data privacy. compliance with data privacy laws is not a product feature, SAP software supports data privacy by providing security some features. Data protection is associated with numerous legal requirements and privacy concerns and SAP Supports them with its’s frameworks
Customer Consent Management – Commerce B2C Accelerator provides functionality for data subjects (a natural person such as a customer, contact, or account) to give consent to collect or transfer their personal data.
Consent Logs– When a user gives or withdraws consent, a consent record is created in the back end and can be viewed in the Backoffice Administration
Information and Deletion
SAP Commerce Platform provides functionality to retrieve all personal data stored about the data subject (person) in a machine-readable format from the system. On user request, the system owner can generate a list for a data subject, containing details about the personal data stored in the system.
SAP Commerce provides functionality to delete personal data on request by the data subject to accommodate the right of a person to be forgotten. Personal data can also be automatically deleted after a certain retention period
Please refer Data Protection and Privacy | SAP Help Portal for more information.
The Payment Card Industry Data Security Standards (PCI DSS) help protect the safety of payment data for all entities that store, process, or transmit cardholder data. These standards set the technical and operational requirements for organizations accepting or processing payment transactions.
SAP Commerce Cloud operates according to the PCI DSS 3.2security standard. The PCI security standard requirements are listed, as well as the roles and responsibilities for both SAP and the Customer.
Please refer Data Protection and Privacy | SAP Help Portal for more information.
The Solr security features include support for encrypting communication to and from Solr (as well as between the Solr nodes) using SSL and support for authentication and authorization provided by the Solr security frameworks. The security features are enabled by default when you use solrserver extenCommerce?Cloud sion.To enable secure communication using SSL, you need: a valid SSL certificate and also need to set SSL-related system properties.
SAP provide a sample solr.jks file, containing the certificates that can be user for development
When installing the Apache Solr, consider the following security considerations:
- While Apache Solr provides some security features, it is not recommended to expose it to the outside world. We should place the Solr servers in a demilitarized zone (DMZ) behind a firewall.
- Always use a secure client computer and web browser when using Apache Solr administration interface. Be mindful of the risk of CSRF attacks – always end the browser session and logout when done with your task, and avoid opening potentially corrupted web sites and emails while being authenticated with administration console.
- Follow standard hardening procedures for web applications, for example:
- We should not run Solr servers as a root or with administrator privileges
- Access permissions to configuration files and data files should be restricted
- If you index user-generated content like reviews or comments, then keep in mind that cross-site scripting (XSS) attacks are a risk if the search results are shown. To avoid this risk, the content needs to be escaped properly to prevent it from being wrongly interpreted.
Please refer Solr Security | SAP Help Portal for details .
Spartacus Security Best practices
While developing Spartacus storefront, wecan improve the security of storefront application by implementing the security best practices described in the following link
Please refer Spartacus Security
Note : Please refer SAP Commerce Security for complete information
Cross-Origin Resource Sharing Support
SAP Commerce Cloud supports the Cross-Origin Resource Sharing mechanism. The CORS mechanism defines a way for a browser and a server to decide which cross-origin requests for restricted resources can or cannot be allowed.
Please refer Cross-Origin Resource Sharing Support | SAP Help Portal for Configuring and enabling the CORS Support
Cross-Site Scripting (XSS)
XSS attacks are aimed at end users and are possible after a malicious code is sent to and executed by end users’ web browsers. This code can be sent in the form of a web page link or through a web application into which it was previously injected.Depending on the code’s purpose, it might enable the attacker to access the end users’ private information such as cookies or passwords they use in a given web application.
SAP provides two methods of protection against XSS attacks:
Omni Commerce Connect Security
Security for OCC calls is provided by highly configurable Spring security mechanisms. OCC uses the OAuth2 protocol to simplify authentication and authorization. This enables long-term access to the principal and differentiates security rules based on the type of client application.
Please refer OCC Calls Security | SAP Help Portal for more detailed information.
Secure Integration API endpoints using OAuth or basic authentication, authorization, and SSL features. User groups and user roles provide security for defined groups and users.
Please refer Integration API Security | SAP Help Portal for more detailed information.
SAP Commerce contains unsecured components that you should secure or remove prior to moving into production. For e.g.
Mocks provided by SAP Commerce are not considered as secure and therefore should not be used in production.
Custom Extensions generated using SAP Commerce templates are not secured. Implementation team must ensure that security is taken into account when planning, designing, and implementing your custom extension.
Please refer Unsecure Components | SAP Help Portal
Secure Configuration for Deployment
Before deploying SAP Commerce in production, the tech team must ensure that the configuration is secure. In all aspects and remove all unsecure development configurations.
Refer to the following section for the important checks to be performed.
II. Cloud Security
In Commerce Cloud security, firewall rules and SSL certificates are applied to endpoints, and other parameters are configured to optimize security.
IP Filter Sets – An IP filter allows you to control how IP traffic flows into your system.You create an IP filter by listing a series of IP addresses that are either allowed or denied as a packet source.The system either accepts (Allow) or discards (Deny) packets based on rules that you define.Once you define and upload the IP filter set, you can choose which sites should be accessible or denied by visitors.
SSL Certificates and Trusted Certificates – SSL or TLS certificates are used to ensure a secure, encrypted connection between a user’s browser and SAP Commerce Cloud endpoints.Certificates are a way of validating connections between public browsers and service endpoints. For example, when using an HTTPS protocol to access an online storefront, an SSL certificate must be added to the corresponding endpoint.
When communication is initiated, most third-party applications look for self-signed certificates in a local truststore. If the certificate is present, the HTTPS client establishes secure connections.The Cloud Portal provides self-service tools that allow you to,
- Add certificates
- Remove certificates
- Deploy a build that automatically pulls the certificates and adds them to the JVM truststore for each subsequent deployment
API Tokens -API tokens contain the user credentials that grant you access to Commerce Cloud APIs.You can generate an API token in the Cloud Portal.
Virtual Private Network (VPN) –Create up to 10 Virtual Private Network (VPN) connections to and from your SAP Commerce Cloud environments and your selected private networks using the Cloud Portal.
The VPN functionality includes:
- the ability to access any SAP Commerce Cloud endpoint, for example Backoffice, Data Hub, from your private network,
- the ability to communicate between the SAP Commerce Cloud environments and privately hosted systems.
Commerce Cloud self-service Network Address Translation (NAT) is a specialized host-to-host networking feature that uses network address translation to extend the capabilities of a VPN.
With an IPsec VPN tunnel for SAP Commerce Cloud your site-to-site VPN traffic is encrypted/decrypted when it arrives at network gateways, ensuring more secure IP traffic and making VPN clients unnecessary. please refer IPsec VPN Tunnels for more details
SAP Cloud Interconnect – SAP Cloud Interconnect gives the reliability and security of a dedicated connection while still maintaining the flexibility and fast deployment time of an Internet VPN connection. please refer SAP Cloud Interconnect for more details
Web Application Firewall –SAP Commerce Cloud, WAF Lite is a set of features designed and implemented to mitigate web application vulnerabilities. It also has a framework for selective disablement of vulnerable endpoints. All those functionalities allow you to reduce the impact of possible attacks before they reach the production systems. This ensures the stability of web applications.Please refer Web Application Firewallfor more details
NOTE: if business uses a CDN, they should enable DDOS at CDN level or add an external WAF
Note: Please refer Cloud Portal Security section for the detailed information on the above listed security features
In this article, we provide a brief overview of key security features to help the business and IT teams better understand SAP Commerce’s security architecture. They can use this information to familiarize themselves with various security measures.
Please contact your SAP Customer Service Professional for more information on SAP commerce Cloud security features