This document provides an overview of crafting secure and composable Sitecore SaaS-based applications. It discusses increasing attack surfaces with SaaS and microservices architectures. It then covers security topics like the layered security model, zero trust architecture, securing Docker and Kubernetes, infrastructure as code, automated security testing, and a reference security solution architecture. The presentation emphasizes security by design, automation, and people/process through concepts like DevSecOps. It aims to educate on building security into applications from the start through frameworks, best practices and automation.

1. Crafting secure
composable Sitecore
SaaS-based applications
Vasiliy FOmichev
#sugcon

2. Initiate new sections
as you shine
Kick off specific subjects
within your presentation
with these section slides.

3. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
• Solution design
• DevSecOps
• Security reference diagram
Agenda

4. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Introductions
 Sitecore MVP 2015 – 2023:
Technology, Commerce, Ambassador
 15 years of Sitecore delivery
 9 years of managing Sitecore practices
 MarTech enthusiast — Content, Azure, AI, Blockchain
Vasiliy Fomichev
VP, Digital Solutions, Altudo
vasiliy.fomichev@altudo.co
@vasiliyfomichev
www.altudo.co
www.cmsbestpractices.com

5. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
We are a leader in Sitecore for 15+ years
600+
Sitecore Projects
Delivered
Sitecore Expertise
45+
Fortune 500 Clients
Trusted By Top Brands
10+
Awards Worldwide
Recognized By The
Experts
20+
Partnerships to help you
scale
Sitecore Ecosystem
450+
Sitecore SMEs
Extensive Experience
Most
innovative
partner
Global
Sitecore
expertise
Extensive
partnerships
Coveo
Partner
7x

6. Introduction to Secure
SaaS-based Web App
Design
Planning for resilience

7. The only secure system is the one
that’s turned off.

8. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
The foundational layers of security
Security by design
Automation
• People
• Systems
• Processes
• Best practices: Networking, Coding
• Peer reviews
• Threat modeling
• OWASP Security Knowledge
Framework (SKF)
• Unit testing
• Integration testing
• Code quality scanning
• SAST
• SCA dependency scanning
• Integration testing
• DTA container scanning
• Network scanning
• Performance testing
• IAST
• RASP
• DAST
Education
• Pair programming
• Lunch & learns
• Informal knowledge sharing
• Experiment
• Learn from incidents
• Create incidents yourself
• Use playgrounds
• Certification
• Self-paced
• Instructor-led
• Tutorials
• Gamification

9. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
The foundational layers of security
Security by design
Automation
• People
• Systems
• Processes
• Best practices: Networking, Coding
• Peer reviews
• Threat modeling
• OWASP Security Knowledge
Framework (SKF)
• Unit testing
• Integration testing
• Code quality scanning
• SAST
• SCA dependency scanning
• Integration testing
• DTA container scanning
• Network scanning
• Performance testing
• IAST
• RASP
• DAST
Education
• Pair programming
• Lunch & learns
• Informal knowledge sharing
• Experiment
• Learn from incidents
• Create incidents yourself
• Use playgrounds
• Certification
• Self-paced
• Instructor-led
• Tutorials
• Gamification

10. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
The three pillars of security
Confidentiality Integrity Availability
• System access control
• Data access control
• Information exposure limit
• System integrity
• Data integrity
• Behavioral integrity
• System SLA
• Data accessibility
• Application performance and
uptime

11. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Layered security model with OSI
https://industry40.co.in/networking-osi-layers/
Physical (1)
Data Link (2)
Network (3)
Transport (4)
Session (5)
Presentation (6)
Application (7)
Purpose
Ensure data is in a usable format
(serialization, deserialization, encryption)
Maintains connections, responsible for
ports and sessions.
Transmits data across the network using
transmission protocols; TCP and UDP
Decides which physical path the data will
take; IP routing
Defines the format of data on the network;
packet structure and frames; MAC address
Electrical signal transmission; connections,
wiring, fiber optic.
Intrusion – network, hardware.
Spoofing (MAC, ARP) MAC flooding, VLAN
hopping
Man-in-the-middle, distributed denial of
service (DDoS)
Eavesdropping, SYN flood, tampering and
message forgery, packet sniffing, port scanning.
Sniffing, RPC, NetBios attacks
Session hijacking
Exploits
Human-computer interaction layer, where
applications access network services.
Threat
Layers
out
in

12. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
The attack surface increase with SaaS
Job Job
API Job
API API
API API
Virtual Machine
Azure SQL
XM Cloud
SaaS and composable architectures
massively increase attack surfaces.

13. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Typical XM Cloud application
XM Cloud
Vercel
Client
Azure Services
TLS TLS
TLS TLS
TLS
1
2
3

14. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Secure network topologies
https://learn.microsoft.com/en-us/azure/architecture/solution-ideas/articles/protect-backend-apis-azure-management
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/apis/protect-apis
Client Front Door
Active
Directory
(B2C)
API Management
AKS
Private Endpoint Function
API Services
1 Service Call
2
Authenticate /
validate token
4 Service Call
JWT
3
JWT
5
Intruder
JWT
JWT
5
Dead end

15. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Legacy point-to-point communication
Data Systems
Inventory Service
Application Layer
Product Service CRM ERP
Mobile App Website Kiosk

16. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Service layer abstraction for availability
Data Systems
Abstraction Layer
Inventory Service
Application Layer
Product Service CRM ERP
Inventory
API
Product API Contact API Order API
Mobile App Website Kiosk
Service to service communication: mTLS  Zero Trust

17. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Data Plane
Securing microservices with zero trust
Control Plane
Certificate
Management
Proxy
Microservice
Authorization Policy
Logging &
Monitoring
Routing Rules
Proxy
Microservice
Proxy
Microservice
Ingress
API
Management
east - west
north
-
south
mTLS
OSM
The service
proxy acts as a
policy enforcer.
1
2

18. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
1. Broken Object Level Authorization
2. Broken User Authentication
3. Excessive Data Exposure
4. Lack of Resources & Rate Limiting
5. Broken Function Level Authorization
6. Mass Assignment
7. Security Misconfiguration
8. Injection
9. Improper Assets Management
10.Insufficient Logging & Monitoring
Building secure APIs: OWASP top 10 API
OWASP Top 10
1. Create function-level authorization (JWT)
2. MFA, TLS
3. Limit objects and properties exposed via an API
4. Validate object size and rates
5. Ensure proper role and rights assignments
6. Validate objects; filter out properties
7. Restrict raw error exposure, tighten CORS, ensure
TLS, implement HSTS, use TLC Cipher String cheet
sheet; setup security headers
8. Ensure validation
9. ?
10.Implement an Azure cloud defender
Vulnerability Mitigation

19. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Availability
• Use edge caching to prevent unnecessary load on the backend
• Configure CORS for edge functions
• Use logging for observability (console.log)
Confidentiality
• Use Vercel security features to restrict access to environments
• Vercel Authentication to restrict preview (all, needs an account)
• Password protection (Enterprise or $150/mon.)
• Shareable links (all, needs an account)
• Do not store secrets in code
Integrity
• Use TLS 1.2 or 1.3
First line of defense with Vercel Edge

20. Automating security
testing and validation
Enforcing security with
DevSecOps

21. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Securing Docker and Kubernetes

22. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
“Polyglot programming is the practice of writing code in
multiple languages to capture additional functionality
and efficiency not available in a single language. The use
of domain specific languages (DSLs) has become a
standard practice for enterprise application
development.”
Need for more
• Governance
• Security specialists
• Platforms and tools
• Templates
• Infrastructure
Avoid polyglot applications from security
perspective.
Polyglot applications security

23. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Resourcing your teams based on your strategy
Team
1
Team
2
Team
3
Upskilled Team
+ Agile
+ Cheaper
? Ability to Scale
? Commitment
Team
1
Team
2
Team
3
++ Center of
Excellence
? Customer Focused
? Prioritisation
? Resourcing
? Speed of Turnaround
Platform Team
- Security champions and evangelists
Team
1
Team
2
Team
3
+ Customer Focus
+ Resources secured
? Distributed Knowledge
? Communication
? Overlapping Experiences
Shared Resources

24. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Infrastructure as Code (IaC) is the management of infrastructure (networks, virtual machines, load balancers, and
connection topology) in a descriptive model, using the same versioning as DevOps team uses for source code.
Infrastructure as code for automation
• Automates environment setup
• Allows repeatability and templatization
• Enables infrastructure versioning
• Promotes Site Reliability Engineering (SRE)
• Promotes standardization, security, consistency,
and stability

25. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
• No single test is sufficient
• Provide test coverage across units, technology, and
system layers
• Move the cheaper tests closer to the foundation to
reduce the feedback cycle
• Container tests should be done at three levels
o IDE by developers
o During the build process before deploying
to the registry
o Periodic scans for registry images
• Manual testing is good at finding outlier defects,
while automated delivers greater testing coverage to
identify common weaknesses.
Design test automation based on cost
IAST/R
ASP
Performanc
e testing
Network
Scanning
DTA Container
Scanning
Integration testing
SCA Dependency Scanning
SAST/Unit Testing
Cost
per
test
DAST
Penetration testing,
bug bounties, peer
reviews

26. Reference Solution
Architecture
How security is created.

27. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Composable SaaS security reference
Physical Layer
Data Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Application Layer
Implement an Azure Front Door, use TLS, encrypt data in store (Azure SQL default)
Turn off, secure password storage, check system for rogue peripherals.
Restrict traffic with VLANs, private links.
Implement an Azure Front Door; use Load Balancer to send bad requests to dead
end, redundancy and traffic offloading.
Implement an Azure Front Door
Implement an Azure Front Door, setup encryption
Implement an Azure Front Door; disable access when employee leaves; set auto-lock
in OS, log out of systems, use JWT for authorization, use zero trust with a service
mesh pattern, OWASP top Ten Web and API, CWE top 25, Vercel security

28. • Please insert a background image
that suits your presentation,
or leave it empty.
© 2022 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. https://europe.sugcon.events/
Most security breaches happen from inside of
organizations.

29. I am a proud community member! Please contact me on the following
handles:
sitecorechat.slack.com twitter sitecore.stackexchange.com

30. Thank you!

31. I am a proud community member!
Please contact me on the following handles:
sitecorechat.slack.com twitter

32. • Layer 1 – port protection of your laptop and
hardware; access to systems, login expiration
• Layer 2 - VLANS
• Layer 3 – Front Door
• Layer 4 – Front Door
• Layer 5 – Front Door
• Layer 6 – Front Door
• Layer 7 – Front Door (bot protection,
https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview
https://learn.microsoft.com/en-us/azure/frontdoor/web-application-firewall
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-ddos
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-ddos
https://learn.microsoft.com/en-us/azure/frontdoor/origin-security?tabs=app-service-
functions&pivots=front-door-standard-premium

33. DevSecOps Sitecore pipeline
33
Pull Image
Developers
Image
Repository
Container
Registry
System
Admins
DevOps
Engineers
Commit
Listen
Manage
Manage
Store image
DEV SVT PRD
DEV Deployment SVT Deployment PRD Deployment
Container Image Pull
Gitlab CI
Gitlab CD
Gitlab DAST
Selenium UI
Tests
Unit Tests
Quality and SAST
Scans
Upload
Run
Run
Upload Run
Page Speed
Tests
Load Tests
Run Run

34. Or emphasize with this bold
headline if you want..

35. ” –
Quote somebody on their
brilliance as everybody in our
community deserves a best
friend!
Akshay Sura

36. • Proin magna enim, hendrerit nec justo non, gravida
efficitur leo. Phasellus pharetra gravida turpis, sed
laoreet dui efficitur nec. Nulla auctor mi et ligula
dignissim, ac consectetur ligula rutrum.
• Sed accumsan mollis consectetur. In et sem eget orci
placerat condimentum. Nunc tortor sapien, pellentesque
eu aliquet vel, gravida eu lorem.
• These are actually valid points.
At some point, add proper content too!

37. Each presentation must end with the following three
slides. As the conference is a from-the-community-for-the-
community event we find it important that you share your
social channels you feel comfortable with, mainly the Slack
channel and Twitter.
Also, we couldn’t organize this event without our
community sponsors. Please leave them at the end of your
slide deck.
Please don’t change the following 3 slides

38. Secure
Implementations
How security is created.

39. Hardening Sitecore headless solutions

40. Team changes and upskilling
QA
Quality Assurance
and testing
Developer
Front and backend
development.
DevOps Engineer
Release processes
and automation
DevOps Security
Champion
Security automation
Monitoring
Notifications
Development Security
Champion
Code Scanning & Reviews
QA Security Champion
Dynamic application
testing
Security Bridge Team
Specialized Security
Personnel
Software, DevOps,
Forensic Analysis,
etc.
CISO
Security program
development.
Security Team
Development Team