ryan garlick teaching secure e- commerce through building real-world sites
TRANSCRIPT
All content presented via real-world examples of working sites
Google AnalyticsAmazon feedsSSL certificate Domain / DNSphpMyAdminCart softwareFTPProject Management – MS Project / Pivotal Tracker
COURSE CONTENT
I had access to existing e-commerce sites for examplesACM students for t-shirts, running the UG siteDrone project in a directed study dovetailed with the Grad
siteAsked the students if anyone had ideas…
Some good ones – Farmer’s Food Delivery
PREP WORK / CHEATING
Students pick the site I bought the SSL certificate / domain / hosting
Totals around $100 for the year
If it gets up and running, students to implement it?
DETAILS
Here’s our problem, now let’s learn the tools we need to solve it.
Ex: Bitcoin
Everything is results based – students choose the tools to get there
METHODOLOGIES
First day… pick a team
SecurityPaymentDatabase / BackupBusinessGraphicsProducts / CartAnd… A Project Manager
TEAMS
I had to break a few ties, but in general students picked their group.
Student choose a site And a cart platform
STUDENTS DECIDE
Choose carefully.
A good PM makes or breaks the team.
Pull them aside early and visit with them about: Management techniques – make me the bad guy Effective delegation
THE PROJECT MANAGER
If your group is fragmenting, or not getting anything done, he or she will be held responsible.
THE PM
Presentations by each teamWhat I stress: “Show me what you did on the site”.OK if it’s not visible on the front end, but you need to do
something on the site, not just “research”During the showdown, points are awarded to a team for
inflicting harm on the other team’s site. Undergrads get a 2x modifier
EVALUATION
Application layer only – no LOIC to DDOSOnly things that someone outside the class would have
access toSocial engineering is allowedEncouraged to look for cart / SQL weaknessesNothing destructive until the last dayDatabase / Backup team responsible for restoring
THE SHOWDOWN
XSS, SQL Injection Inner workings of Shopping Carts / SessionsSSL and Payment GatewaysSEO, Google AnalyticsSQL and how it relates to the Cart / PHPPayment - must implement BitcoinGraphics Templates for each cartTeam Management
TOPICS
Anecdotally more enthusiasmSecurity teams are really getting into it
When you tell them their grade depends on defending the site and bringing the other team down
Usual group project problems The do-nothings and the fragmenters
Essentially plagiarism-proof
RESULTS SO FAR