Security testing in AEM as a Cloud Application

Question

Dear All,

We are building a CMS website using AEM as a cloud service. Does anyone know if AEM deployment pipeline automatically handles the security/penetration vulnerabilities? Or is there a need of any third party plugin to check the same?

Previously with Magnolia CMS, we were using Kiuwan for this purpose. But I assume AEM Cloud is already checking security issues during Code Scanning stage of deployment pipeline.

If anyone has any thoughts/comments, it would be really helpful.

Thank you !!

EstebanBustamante · Accepted Answer

Here are some thoughts:

The code quality gateway, which runs on each pipeline from Cloud Manager, includes a security scan that identifies vulnerabilities. You can find more information about this scan here. If you need to understand the rules associated with this security scan, you can check them here or visit this community link.
Any AEM website using AEMaaCS will be hosted on Adobe Managed Services (AMS), which already has security tests in place. These tests are usually not public, but you can contact your Adobe representative for more details if you need this information for compliance or any other purpose.
You are free to conduct additional security tests on your website. However, you need to coordinate with AMS regarding the timing of such security tests. Once coordinated, you can perform load, performance, or penetration tests as needed.

Hope this helps

pulkitvashisth · Answer

AEMaaCS offers advanced security features such as multi-factor authentication, Single-Sign-On (SSO), and SAML 2.0 authentication. Environments are pre-configured with security rules, and the Author tier is automatically integrated with the Adobe IMS by default.

In terms of deployment, AEM Cloud Manager includes a CI/CD framework, which allows implementation teams to quickly test and deliver new or updated code. The CI/CD pipeline performs a thorough code scan. It also automates unit and performance testing processes to increase deployment efficiency and proactively identify critical issues.

Depending on your specific security requirements and the complexity of your application, you may still want to consider using additional security tools or practices.

Please check these documentations for reference:
AEM as a Cloud Service Security Overview:
https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/security/cloud-service-security-overview.html%3Flang%3Den

Cloud Manager CI/CD Pipelines :

https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/implementing/using-cloud-manager/cicd-pipelines/introduction-ci-cd-pipelines.html%3Flang%3Den.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded