Transcript Teaching Secure e-Commerce through Building Real

TEACHING SECURE ECOMMERCE THROUGH
BUILDING REAL-WORLD
SITES
Ryan Garlick
CSCE 4560 / 5560 – SPRING 2013
 Cross listed course
 21 undergrads
 13 graduate students
COURSE CONTENT









All content presented via real -world examples of working sites
Google Analytics
Amazon feeds
SSL certificate
Domain / DNS
phpMyAdmin
Cart software
FTP
Project Management – MS Project / Pivotal Tracker
PREP WORK / CHEATING




I had access to existing e -commerce sites for examples
ACM students for t-shirts, running the UG site
Drone project in a directed study dovetailed with the Grad site
Asked the students if anyone had ideas…
 Some good ones – Farmer’s Food Delivery
DETAILS
 Students pick the site
 I bought the SSL certificate / domain / hosting
 Totals around $100 for the year
 If it gets up and running, students to implement it?
METHODOLOGIES
 Here’s our problem, now let’s learn the tools we need to solve
it.
 Ex: Bitcoin
 Everything is results based – students choose the tools to get
there
TEAMS
 First day… pick a team







Security
Payment
Database / Backup
Business
Graphics
Products / Cart
And… A Project Manager
STUDENTS DECIDE
 I had to break a few ties, but in general students picked their
group.
 Student choose a site
 And a cart platform
THE PROJECT MANAGER
 Choose carefully.
 A good PM makes or breaks the team.
 Pull them aside early and visit with them about:
 Management techniques – make me the bad guy
 Effective delegation
THE PM
 If your group is fragmenting, or not getting anything done, he
or she will be held responsible.
EVALUATION
 Presentations by each team
 What I stress: “Show me what you did on the site”.
 OK if it’s not visible on the front end, but you need to do
something on the site, not just “research”
 During the showdown, points are awarded to a team for
inflicting harm on the other team’s site.
 Undergrads get a 2x modifier
THE SHOWDOWN
 Application layer only – no LOIC to DDOS
 Only things that someone outside the class would have access
to
 Social engineering is allowed
 Encouraged to look for cart / SQL weaknesses
 Nothing destructive until the last day
 Database / Backup team responsible for restoring
TOPICS








XSS, SQL Injection
Inner workings of Shopping Carts / Sessions
SSL and Payment Gateways
SEO, Google Analytics
SQL and how it relates to the Cart / PHP
Payment - must implement Bitcoin
Graphics Templates for each cart
Team Management
SITES
 Undergrads
www.cse.unt.edu/projects/ecommerce/
 Grads
DroneCam.tv
RESULTS SO FAR
 Anecdotally more enthusiasm
 Security teams are really getting into it
 When you tell them their grade depends on defending the site and
bringing the other team down
 Usual group project problems
 The do-nothings and the fragmenters
 Essentially plagiarism-proof
CAVEATS
 Vet your Project Manager
 Some students took it too seriously, wouldn’t give passwords
to their team members who needed them for fear of security
leaks
 Try to cull the do-nothings early
 Have fun