Main Page
From Ecommerce Security
Welcome to the Ecommerce Security website.
| Table of contents |
Contact Information
|
Scott Mendenhall |
Michael Figueroa, CISSP |
Class Hours
September 12, 2005 – December 5, 2005; 6:45 PM – 9:15 PM
Course Description
Business and government alike have become tightly dependent on the Internet to share information and provide services to consumers. In this advanced course, students will learn how to design and build a secure Internet application from the ground up. Key topics include identity management systems, firewalls, intrusion detection, web/application/database security principles.
Course Objectives
At the conclusion of this course, students will have knowledge of the following foundational areas for deploying a secure Internet application:
- Network and system secure architecture design
- Secure database design and integration
- Secure application design
- Basic project management concepts
Textbook
Web Security, Privacy & Commerce (2nd Edition) (http://www.amazon.com/exec/obidos/tg/detail/-/0596000456/qid=1126715758/sr=8-1/ref=pd_bbs_1/002-5564735-3384800?v=glance&s=books&n=507846) by Simson Garfinkel
Class Project
Students will organize into groups to determine how Internet applications defend against known malicious attacks. The project will apply concepts from the course to design an application architecture, define the configurations of its components and discuss the consequences of the security controls needed to defend against a given attack. Each student will select a component of interest and take full responsibility for its configuration and associated documentation. Groups will present their conclusions on the final day of class.
Course Requirements and Grading
- Class Participation (15%) – Students will be graded on overall class participation including attendance, participation in class discussions and completion of the class activities.
- Class Project (35%) – Students will be required to complete a practical project for this course.
- Mid-Term Exam (25%) – A mid-term exam will be conducted covering the basic components of an Internet application.
- Final Exam (25%) – A take-home final exam will be given covering the detailed security aspects of an Internet application.
Mailing Lists
- Mailing List (http://lists.ecommercesecurity.org/mailman/listinfo/csci-385-fall-2005-discuss) - post, subscribe & unsubscribe
- Mailing List Archive (http://lists.ecommercesecurity.org/mailman/private/csci-385-fall-2005-discuss/) - view postings online
Events
OWASP AppSec Conference US
Date: Oct. 11-12, 2005
Location: NIST, Gaithersburg, MD
Additional Information: Student Registration (http://www.owasp.org/docroot/owasp/Registration/index_edu.jsp)
Alumni Venture Capitalists Discuss Funding Alumni/Faculty/Student Start-Ups
Date & Time: Wednesday, October 12, 12 p.m. - 1:30 p.m.
Location: Alumni House, 1925 F. St., Washington, DC
Additional Information: Presented by the GW Entrepreneurs Roundtables & Seas Council of Entrepreneurial Tech Transfer and Commercialization An exciting discussion with alumni venture capitalists Ray Dizon (EE '86) of the Maryland Venture Fund, Robbie Melton (Elliott '86) of Technology Development Corporation (TEDCO), and Bill Watson (MS '95) of Virginia's Gap Fund, who will answer questions on what it takes to be funded by their venture funds. A great opportunity to network with others who are entrepreneurs or funders of start-ups.
Please join us for this free event. No RSVP or registration required.
Pizza and soft drinks will be served.
For more information on this event, please visit the Lab2IPO website (http://lab2ipo.org/Events/Oct122005) or contact Tony Stanco, Director of SEAS Council of Entrepreneurial Tech Transfer and Commercialization at stanco@gwu.edu. For more information about the GW Entrepreneurs Roundtable and how you can get involved, please contact Joe Bondi.
Class 1: Introduction to E-Commerce
12 Sept 2005
Summary
- Understanding business needs and interactions
- Understanding Internet Application Design
- Fundamentals of detailed design
- Basic project management practices
Lecturer
- Scott Mendenhall (http://www.m23.com/about_us/people.jsp) - CEO of M23, presentation (http://www.ecommercesecurity.org/download/ecommerce_security-scott_mendenhall-091205.ppt)
Activities
- Student introductions (SpeedNetworking)
Class 2: The User in E-Commerce
19 Sept 2005
Summary
- Registration/Identity Proofing
- URL Formulation
- Cookies
- Field-level integrity
Guest Lecturer
- Leo Mullen (http://www.navarts.com/aboutus/readmanage.asp?pid=138) - CEO of Navigation Arts, presentation (http://www.ecommercesecurity.org/download/ecommerce_security-leo_mullen-091905.ppt)
Activities
- Review cookie structures
- Review URL formulations
- Shopping cart characteristics
Assignments
- Chapters 6 & 8
- Amazon: No Longer the Role Model for E-Commerce Design (http://www.useit.com/alertbox/20050725.html)
Class 3: Identity Management
26 Sept 2005
Summary
- Lifecycle Components
- Authentication and Authorization
- LDAP & Single Sign-On Principles
Lecturer
- Michael Figueroa, CISSP - Security Architect, Booz Allen Hamilton, presentation (http://www.ecommercesecurity.org/download/ecommerce_security-michael_figueroa-092605.ppt)
Activities
- Review x.509 certificate structure
Assignments
- Chapter 7
- OpenLDAP Software 2.3 Administrator’s Guide – Chapter 1 (http://www.openldap.org/doc/admin23/)
- Federal Authentication Technical Architecture (http://www.cio.gov/eauthentication/)
Class 4: Perimeter Security
3 October 2005
Summary
- Firewalls/Routers/Switches
- Intrusion Detection Practices
- Encrypted Channels
Guest Lecturer
- Marty Roecsh (http://www.sourcefire.com/aboutsf/exec_team.html#Martin) - CTO of Sourcefire
- Michael Figueroa - presentation (http://www.ecommercesecurity.org/download/ecommerce_security-michael_figueroa-100305.ppt)
Activities
- Using IP Tables
- Snort Configuration
Assignments
- Chapter 14
- Appendix B
- Snort Technical Guide (http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1083823,00.html)
Class 5: Data Security & Privacy
10 October 2005
Summary
- ODBC/JDBC Protocol
- Database Connections
- Privacy Implications
Lecturer
- Michael Figueroa, CISSP - Security Architect, Booz Allen Hamilton
Activities
- Designing a Basic Internet App Database
Assignments
- An Illustrated Guide to Cryptographic Hashes (http://www.unixwiz.net/techtips/iguide-crypto-hashes.html)
Class 6: TBD
17 October 2005
Summary
Lecturer Thorne Graham, Director of Infrastructure Security in the Office of the CIO, Department of Homeland Security
Class 7: Web/Application Server Security
24 October 2005
Summary
- Server Hardening Principles
- Application Protection Principles
- Buffer Overflows
- Variable Checking
- Use/Misuse cases
Guest Lecturer
- John Viega (http://www.securesoftware.com/about/viega.html) - CTO of Secure Software
Mid-term Review
Assignments
- Chapters 15 & 16
Class 8: Mid-Term
31 October 2005
Class 9: Open Source
7 November 2005
Summary
- Mapping Open Source Projects to each component
Guest Lecturer
- Tony Stanco
- Scott Mendenhall - presentation (http://www.ecommercesecurity.org/download/ecommerce_security-scott_mendenhall-110705.ppt)
Activity
- Debate - Is open source software more secure than closed source software?
Class 10: Partner Communications
14 November 2005
Summary
- Identity Federation
- Secure Payments
- Supply Chain
Assignments
- Chapter 25
Actvivities
- Review Mid-term
Class 11: Web Services / Secure Service-Oriented Architecture
21 November 2005
Summary
- Secure SOA Maturity Spectrum
- SAML; SOAP; Liberty Alliance
- XML Signature; XML Encryption
Guest Lecturer
- Fabio Arciniegas, CTO Postgraphy
Activities
- OASIS Review
Class 12: Incident Response and Digital Forensics
28 November 2005
Summary
- Auditing; Monitoring; Managed Security Services
- Forensic Examination Principles
- Incident Response Procedures
Lecturer
- Michael Figueroa
Class 13: Project Presentations
5 December 2005
