At this blog, you will find the typical configuration and best practices for the SuccessFactors security.
Here I’ll try to share the best configuration to avoid attacks such as cross site scripting and data injection.
Enabling Interstitial Pages for External Redirection
In the event that a certain web page within the “company.com” domain redirects to a page on a different domain, it is possible to activate a warning message useful for the user in order to become aware of the possible dangerousness of the action.
This countermeasure allows to reduce this type of attack:
Cross-domain
Open redirects
Phishing attacks
In the event that Single Sing On (SSO) is active, it is necessary to insert the permitted sites in a whitelist.
The typical warning pop up window will inform the user about the cross-domain action.
How to implement SAP HELP
Configure Content Security Header policies for a SuccessFactors instance
To limit possible Cross Site Scripting and data injection attacks, you can enable some protections related to the execution of certain content through the browser. For example:
· Images
· Scripts (e.g. external Javascript-based plug-ins)
The feature that protects those risk it the Content Security Policy Header.
The Content Security Policy (CSP) is a browser security mechanism that restricts the sources from which the browser is allowed to load resources, such as scripts, fonts, and images. This feature adds an additional layer of security that enables the detection and mitigation of certain types of attacks including cross site scripting and data injection.
To implement the CSP,it’s configured from Provisioning. You may check the procedure here SAP HELP
Restrict Concurrent BizX Sessions
BizX allows multiple concurrent sessions for a single user account. With this change, we are restricting multiple sessions and will prompt a user to logout of other sessions before starting a new session
- For SAML2 user, the system will redirect to invalid login url when failed to login (this is the URL enter under Single Sign-On (SSO) Settings -> “Please enter the URL for Invalid Login URL redirect:” in provisioning)
- For PWD user, the system will redirect to message page with below error message:
“We found another active session for you and cannot log you in again. Please logout of
the existing session or try logging in after 30 minutes”.
How to enable KBA
Configuring an External Candidate Account CAPTCHA
By default, CAPTCHA is enabled on all instances. SAP SuccessFactors use the Google-provided ReCAPTCHA. Disable it only in exception scenarios where the customer is facing issues with the feature, such as in the following scenario:
As Google ReCAPTCHA doesn’t work in China, this feature isn’t supported for Chinese customers nor for candidates applying from China. If these customers are facing issues with CAPTCHA, the only option would be to disable CAPTCHA.
How to enable SAP HELP.
One-Time Password Email Verification (OTP) – Recruiting Management
Email address verification using one-time password provides an added security to candidate accounts from bot attacks, phishing, and other threats. This prevents the exposure of existing candidates’ email addresses to attackers.
- When an external candidate creates an account or updates the contact email address in the Candidate Profile, a one-time password is sent to the candidate’s email address. Once a valid OTP is provided:
- An account is created for the candidate.
- The contact email address is successfully updated in the Candidate Profile.
This feature was introduced as part of 2020 H2 release. Once introduced, this feature was disabled by default for all the customers.
Hot to enable KBA
set up Two Factor Authentication
TOTP passcodes are time-based and are valid for one logon attempt only, thus providing additional security to the common static passwords. Passcodes are generated by an authenticator application. The authenticator is a mobile application that you install on your mobile devices. For more information about how to install and configure authenticators, see their documentation.
To sign in when the application requires TOTP two-factor authentication, first you provide your primary credentials, choose the method or enable it, then provide the passcode generated on your mobile device.
How to enable KBA
Clickjacking Filter
The Clickjacking Filter is a allowlist-based feature that controls which pages are allowed to render your SAP SuccessFactors pages or features within a frame.
Security Scan of User Inputs
As for the Security Scan of User Inputs, you can enable API calls in integration scenarios to transfer data to SAP SuccessFactors HXM Suite that will be validated and harmful content will be filtered.