Main Page

From Ecommerce Security

Welcome to the Ecommerce Security website.

Contents 1 Contact Information 2 Class Hours 3 Course Description 4 Course Objectives 5 Textbook 6 Class Project 7 Course Requirements and Grading 8 Mailing Lists 9 Events 10 Class 1: Introduction to E-Commerce 11 Class 2: The User in E-Commerce 12 Class 3: Identity Management 13 Class 4: Perimeter Security 14 Class 5: Data Security & Privacy 15 Class 6: TBD 16 Class 7: Web/Application Server Security 17 Class 8: Mid-Term 18 Class 9: Open Source 19 Class 10: Partner Communications 20 Class 11: Web Services / Secure Service-Oriented Architecture 21 Class 12: Incident Response and Digital Forensics 22 Class 13: Project Presentations

Contact Information

Scott Mendenhall

Michael Figueroa, CISSP

Class Hours

September 12, 2005 – December 5, 2005; 6:45 PM – 9:15 PM

Course Description

Business and government alike have become tightly dependent on the Internet to share information and provide services to consumers. In this advanced course, students will learn how to design and build a secure Internet application from the ground up. Key topics include identity management systems, firewalls, intrusion detection, web/application/database security principles.

Course Objectives

At the conclusion of this course, students will have knowledge of the following foundational areas for deploying a secure Internet application:

• Network and system secure architecture design
• Secure database design and integration
• Secure application design
• Basic project management concepts

Textbook

Web Security, Privacy & Commerce (2nd Edition) by Simson Garfinkel

Class Project

Students will organize into groups to determine how Internet applications defend against known malicious attacks. The project will apply concepts from the course to design an application architecture, define the configurations of its components and discuss the consequences of the security controls needed to defend against a given attack. Each student will select a component of interest and take full responsibility for its configuration and associated documentation. Groups will present their conclusions on the final day of class.

Course Requirements and Grading

1. Class Participation (15%) – Students will be graded on overall class participation including attendance, participation in class discussions and completion of the class activities.
2. Class Project (35%) – Students will be required to complete a practical project for this course.
3. Mid-Term Exam (25%) – A mid-term exam will be conducted covering the basic components of an Internet application.
4. Final Exam (25%) – A take-home final exam will be given covering the detailed security aspects of an Internet application.

Mailing Lists

• Mailing List - post, subscribe & unsubscribe
• Mailing List Archive - view postings online

Events

OWASP AppSec Conference US

Date: Oct. 11-12, 2005

Location: NIST, Gaithersburg, MD

Additional Information: Student Registration

Alumni Venture Capitalists Discuss Funding Alumni/Faculty/Student Start-Ups

Date & Time: Wednesday, October 12, 12 p.m. - 1:30 p.m.

Location: Alumni House, 1925 F. St., Washington, DC

Additional Information: Presented by the GW Entrepreneurs Roundtables & Seas Council of Entrepreneurial Tech Transfer and Commercialization An exciting discussion with alumni venture capitalists Ray Dizon (EE '86) of the Maryland Venture Fund, Robbie Melton (Elliott '86) of Technology Development Corporation (TEDCO), and Bill Watson (MS '95) of Virginia's Gap Fund, who will answer questions on what it takes to be funded by their venture funds. A great opportunity to network with others who are entrepreneurs or funders of start-ups.

Please join us for this free event. No RSVP or registration required.

Pizza and soft drinks will be served.

For more information on this event, please visit the Lab2IPO website or contact Tony Stanco, Director of SEAS Council of Entrepreneurial Tech Transfer and Commercialization at stanco@gwu.edu. For more information about the GW Entrepreneurs Roundtable and how you can get involved, please contact Joe Bondi.

Class 1: Introduction to E-Commerce

12 Sept 2005

Summary

• Understanding business needs and interactions
• Understanding Internet Application Design
• Fundamentals of detailed design
• Basic project management practices

Lecturer

• Scott Mendenhall - CEO of M23, presentation

Activities

• Student introductions (SpeedNetworking)

Class 2: The User in E-Commerce

19 Sept 2005

Summary

• Registration/Identity Proofing
• URL Formulation
• Cookies
• Field-level integrity

Guest Lecturer

• Leo Mullen - CEO of Navigation Arts, presentation

Activities

• Review cookie structures
• Review URL formulations
• Shopping cart characteristics

Assignments

• Chapters 6 & 8
• Amazon: No Longer the Role Model for E-Commerce Design

Class 3: Identity Management

26 Sept 2005

Summary

• Lifecycle Components
• Authentication and Authorization
• LDAP & Single Sign-On Principles

Lecturer

• Michael Figueroa, CISSP - Security Architect, Booz Allen Hamilton, presentation

Activities

• Review x.509 certificate structure

Assignments

• Chapter 7
• OpenLDAP Software 2.3 Administrator’s Guide – Chapter 1
• Federal Authentication Technical Architecture

Class 4: Perimeter Security

3 October 2005

Summary

• Firewalls/Routers/Switches
• Intrusion Detection Practices
• Encrypted Channels

Guest Lecturer

• Marty Roecsh - CTO of Sourcefire
• Michael Figueroa - presentation

Activities

• Using IP Tables
• Snort Configuration

Assignments

• Chapter 14
• Appendix B
• Snort Technical Guide

Class 5: Data Security & Privacy

10 October 2005

Summary

• ODBC/JDBC Protocol
• Database Connections
• Privacy Implications

Lecturer

• Michael Figueroa, CISSP - Security Architect, Booz Allen Hamilton

Activities

• Designing a Basic Internet App Database

Assignments

• An Illustrated Guide to Cryptographic Hashes

Class 6: TBD

17 October 2005

Summary

Lecturer Thorne Graham, Director of Infrastructure Security in the Office of the CIO, Department of Homeland Security

Class 7: Web/Application Server Security

24 October 2005

Summary

• Server Hardening Principles
• Application Protection Principles
  • Buffer Overflows
  • Variable Checking
  • Use/Misuse cases

Guest Lecturer

• John Viega - CTO of Secure Software

Mid-term Review

Assignments

• Chapters 15 & 16

Class 8: Mid-Term

31 October 2005

Class 9: Open Source

7 November 2005

Summary

• Mapping Open Source Projects to each component

Guest Lecturer

• Tony Stanco
• Scott Mendenhall - presentation

Activity

• Debate - Is open source software more secure than closed source software?

Class 10: Partner Communications

14 November 2005

Summary

• Identity Federation
• Secure Payments
• Supply Chain

Assignments

• Chapter 25

Actvivities

• Review Mid-term

Class 11: Web Services / Secure Service-Oriented Architecture

21 November 2005

Summary

• Secure SOA Maturity Spectrum
• SAML; SOAP; Liberty Alliance
• XML Signature; XML Encryption

Guest Lecturer

• Fabio Arciniegas, CTO Postgraphy

Activities

• OASIS Review

Class 12: Incident Response and Digital Forensics

28 November 2005

Summary

• Auditing; Monitoring; Managed Security Services
• Forensic Examination Principles
• Incident Response Procedures

Lecturer

• Michael Figueroa

Class 13: Project Presentations

5 December 2005