Ryan Garlick

TEACHING SECURE E-COMMERCE THROUGH

BUILDING REAL-WORLD SITES

Cross listed course21 undergrads13 graduate students

CSCE 4560 / 5560 – SPRING 2013

All content presented via real-world examples of working sites

Google AnalyticsAmazon feedsSSL certificate Domain / DNSphpMyAdminCart softwareFTPProject Management – MS Project / Pivotal Tracker

COURSE CONTENT

I had access to existing e-commerce sites for examplesACM students for t-shirts, running the UG siteDrone project in a directed study dovetailed with the Grad

siteAsked the students if anyone had ideas…

Some good ones – Farmer’s Food Delivery

PREP WORK / CHEATING

Students pick the site I bought the SSL certificate / domain / hosting

Totals around $100 for the year

If it gets up and running, students to implement it?

DETAILS

Here’s our problem, now let’s learn the tools we need to solve it.

Ex: Bitcoin

Everything is results based – students choose the tools to get there

METHODOLOGIES

First day… pick a team

SecurityPaymentDatabase / BackupBusinessGraphicsProducts / CartAnd… A Project Manager

TEAMS

I had to break a few ties, but in general students picked their group.

Student choose a site And a cart platform

STUDENTS DECIDE

Choose carefully.

A good PM makes or breaks the team.

Pull them aside early and visit with them about: Management techniques – make me the bad guy Effective delegation

THE PROJECT MANAGER

If your group is fragmenting, or not getting anything done, he or she will be held responsible.

THE PM

Presentations by each teamWhat I stress: “Show me what you did on the site”.OK if it’s not visible on the front end, but you need to do

something on the site, not just “research”During the showdown, points are awarded to a team for

inflicting harm on the other team’s site. Undergrads get a 2x modifier

EVALUATION

Application layer only – no LOIC to DDOSOnly things that someone outside the class would have

access toSocial engineering is allowedEncouraged to look for cart / SQL weaknessesNothing destructive until the last dayDatabase / Backup team responsible for restoring

THE SHOWDOWN

XSS, SQL Injection Inner workings of Shopping Carts / SessionsSSL and Payment GatewaysSEO, Google AnalyticsSQL and how it relates to the Cart / PHPPayment - must implement BitcoinGraphics Templates for each cartTeam Management

TOPICS

Undergradswww.cse.unt.edu/projects/ecommerce/

GradsDroneCam.tv

SITES

Anecdotally more enthusiasmSecurity teams are really getting into it

When you tell them their grade depends on defending the site and bringing the other team down

Usual group project problems The do-nothings and the fragmenters

Essentially plagiarism-proof

RESULTS SO FAR

Vet your Project ManagerSome students took it too seriously, wouldn’t give passwords

to their team members who needed them for fear of security leaks

Try to cull the do-nothings earlyHave fun

CAVEATS