SAP Hybris Implementation Review

Often times when I start my work with a new client, one of the first things they want to know is my opinion about their SAP Hybris implementation.
I like to think of it as a medical second opinion “after the fact”. This is especially true when a new person responsible for the e-commerce department comes in and has no real feel for how the system was written by the SI or the in-house IT folks.

SAP Hybris is a fantastic platform that has been named one of the top systems in the e-commerce space. However, as Uncle Ben said “With great power comes great responsibility.”
The out of the box (OOTB) platform is a great starting point and can be used to build a robust solution. Unfortunately, in my experience this has not always been the case.

For clients that have an instance of SAP Hybris, the e-commerce channel is a considerable source of income, thus, it’s understandable that I see an increased interest to have their implementations audited. A full review of the system can provide an assessment and understanding if best practices were followed during SDLC.


When I engage with a customer to review their SAP Hybris implementation, there are several areas that I pay attention to:

  • Overall implementation organization
  • Overall code organization
  • Third party integrations
  • Some customer experience areas (as I am not a UX specialist)
  • Site performance
  • Build and deploy process
  • Infrastructure review
  • Privacy and security audit

A typical engagement takes about 200 to 240 hours to complete, from start to end. Depending on the complexity of the implementation it can go longer.

Here is how I like to segment the work:

  • First week I go through any business and technical documentation available, at the same time I prepare the schedule for next weeks depending on the document discovery.
  • Second week I spend onsite interviewing team members.
  • Week 3 and 4 I spend remotely with access to some of the team members to answer questions that pop up.
  • Last couple of days of the engagement for the final presentation, I either visit the office again or I present it remotely.


Below, please find a more detailed description of items covered during the review:

  1. Overall implementation organization
    • Number of servers (load balancers, web servers, application servers, admin servers, DB servers and SOLR servers. Optionally CIS servers and Datahub)
    • Catalog architecture
    • Catalog synchronizations
    • Product structure (variant levels, variant types, etc.)
    • Price row storage (catalog version aware or not, etc.)
    • Number of sites and relations between them
    • What are the ERP, CRM, OMS used?
    • Which system is the master record keeper for products, prices, inventory, orders and customers.
  2. Overall code organization
    • Code repository, code review, code quality, code testing
    • Integration with critical “internal” components like ERP/CRM/OMS
    • Data imports and exports
    • Testing (unit, integration and automation)
    • Synchronous and asynchronous data flow
  3. Third party integrations
    • Sales tax
    • Payment
    • Address verification
    • Loyalty integrations
    • Email communication
    • DAM (or images and content)
  4. Customer experience
    • Search & SOLR (document structure, indexing and query strategy, SOLR architecture – master/slave)
    • Discounts & promotions
    • Checkout flow and navigation
    • Content management
  5. Site performance
    • Hybris region cache
    • SOLR caching (if applicable)
    • Sales tax performance
    • Static files
    • Partial / full page caching
    • Session data caching
    • Temporary carts purging
    • Execution of task engine
  6. Build and deploy process
    • Building lifecycle
    • Deployment process
    • Continuous integration approach (if any)
    • Code validation upon builds
  7. Infrastructure review
    • Infrastructure components / diagram
    • Server topology
    • OS and memory settings (operating system level, JVM level, etc.)
    • Apache HTTP and Tomcat server configurations
  8. Privacy and security
    • Web application security (i.e. XSS, CSRF and SAP and web application best practices)
    • Access control
      • Lockdown of most super-admins
      • Default users/passwords
      • Granularity access for administration consoles (hmc, back office)
    • Password hashing/encryption algorithms
    • Password policies
    • Application logging (is enough information logged and is sensitive information being logged to the files)
    • Credit card data management


If you are interested, please contact me.