Teaching Security Techniques in an E-Commerce Course

Journal of Information Systems Education, Spring 2006 by Liu, Chang, Mackie, Brian G

ABSTRACT

Over the past few years, more and more companies have been investing in electronic commerce (EC) by developing and implementing web-based applications on the Internet. While EC can help improve business services and increase customer satisfaction, it also brings increased security risks to those companies implementing it. Developers of EC web sites have to incorporate ways to systematically identify and eliminate security vulnerabilities within their EC applications. This paper describes how Microsoft ASP.Net can be used to assist students in exploring ways to increase the security of EC applications. The hands-on component covers useful techniques for improving application robustness in the pre-sales, online-sales and after-sales phases of an EC application. The paper concludes with a discussion of "lessons learned" and suggestions for effectively teaching security in an EC design course.

Keywords: Electronic Commerce, Security, Application, Course Development, ASP.Net

1. INTRODUCTION

Electronic Commerce (EC) has allowed organizations to enhance their economic growth, reduce barriers to market entry, improve efficiency and effectiveness, keep inventories lean, and reduce costs (Hof and Hamm, 2002). Research indicates that EC will continue to grow and that it will change every kind of business, online as well as offline. In order to achieve the most benefit, businesses need to build security into their EC web sites (Gartner Group, 2005). Many security experts believe that implementing firewalls and Intrusion Detection Systems (IDS) alone are inadequate, as security is a continual process and it needs to be addressed across the computer network layer, the web host layer and the application layer (Main, 2004).

Recent studies show that the number of severe computer breaches of EC applications have grown steadily and the application layer is a frequent point of attack by intruders in recent years (Computer Security Report, 2002). Given the magnitude of real and potential losses, there is a need to build a systematic framework to address security issues in web-based EC applications. Although some universities have either started to expand their curriculum by developing security related courses or to integrate relevant security content into the technical courses in their IS degree programs, little has been done to emphasize security within EC application design courses offered at universities.

Internet intruders can create havoc and produce catastrophic results by exploiting weaknesses within EC applications. The intruder's best ally is poorly written or inadequately tested software. Therefore, students who take an EC web application design course need to be given ways to systematically identify and eliminate vulnerabilities within the code for EC applications to improve their security.

In the following sections we describe some teaching techniques that emphasize methods students can use to identify and eliminate vulnerabilities within their EC applications and improve application robustness by integrating many security features within the design process. More importantly, the hands-on approach described here enhances students' understanding of the security content and provides them with solid hands-on experience with web-based EC applications design.

2. CURRICULUM DEVELOPMENT

A semester long e-commerce course taught in the fall of 2004 at a large mid-western university was used for this teaching strategy. It emphasized web-based application design using Microsoft's ASP.Net technology. This allowed the students to explore the EC application development process by creating an electronic shopping mall to sell products or services. The students, who were seniors with an Information Systems major, covered a range of EC students in the course. Students were split into seven groups of three students per group. At the end of the semester, each group of students presented a final project, which incorporated security in each marketing phase of the EC web application, to the entire class. Each group of students chose their own project topic as long as it was different from the topic selected by other groups. Each project had to include an online transaction application for products, services, and/or information. This insured that the project presentation was interesting to the students and it concentrated on EC application design. Moreover, it prompted healthy competitions among different project groups. The students were also required to write a final report on "lessons learned" and "future improvements" for the final project. The final topics were agreed upon on the first class after the middle of the semester thus giving the groups enough time to complete the project by the end of the semester.

3. THE HANDS-ON ENVIRONMENT

A dedicated web server with Windows 2003 Enterprise edition was used for the class and implementation of the students' projects. This server included the following applications: Microsoft Visual Studio.Net (VS.Net) and Microsoft SQL Server 2000. The Information Technology Services (ITS) department on campus was responsible for creating a web folder for each student. The students used the remote desktop connection, available in Windows XP, to access the web server. One of the main advantages of this design environment was that there was no need to install a development topics, including web site design, shopping cart design, input validation, web database integration, order confirmation, and incorporating security features throughout. This allowed the authors the freedom to integrate security features within the design process. There were twenty-one copy of VS.Net on each computer a student might use while developing an EC application. Therefore the only requirement the student needed to work on their application was an Internet connection and the remote desktop application which is included as part of Windows XP. This design environment also insured that each student could only access their own EC application.