Teaching Security Techniques in an E-Commerce Course

Journal of Information Systems Education, Spring 2006 by Liu, Chang, Mackie, Brian G

Another technique demonstrated in the course was to use separate Web.Config files in subdirectories of an EC application. These Web.Config files were used to limit user access to ensure security in the after-sales phase of EC activities. A scenario was developed in which the students had to create a Member Only directory within their EC application to serve returning customers in the after-sales phase. The Member Only directory had several subdirectories such as Special Deals and Award Services. Each directory had its own authorization rules declared in the Web.Config file residing in that directory folder. Therefore, access was determined by a user's identity which enhanced the security of the EC application.

5. CONCLUSIONS

To evaluate student expectations and reactions, the authors developed a post-course evaluation survey. This evaluation survey was in addition to the normal university course evaluation. Initial results indicated that ALL students rated the hands-on exercises on security through the three phases of EC activities very helpful and applicable to real business situations. The students believed that being "forced" to examine security issues based on pre-sales, online-sales, and after-sales phases was important to helping them with content understanding and classification. The students walked away surprised that there were so many security issues involved in an EC application design. Many were. excited that they could protect an application against these security vulnerabilities. Interestingly, several students went to another faculty member and showed him that his online application was vulnerable to a SQL injection attack (one of the examples used in the class). As a result of lessons learned, the following are some suggestions for other faculty incorporating security issues in their EC application design class:

* Each student should be required to sign a letter promising to be a good citizen, by not using the skills and knowledge learned in the class to harm or explore vulnerabilities of web sites. This would be a protection for both faculty who show these techniques and the students who participate in this type of class.

* Prerequisites for students include knowledge of the VB.Net programming language, HTML, database concepts, and a good understanding of networking fundamentals. Students can then learn quickly and cover the topics in more depth if they have the above skills.

* The faculty member should be given permissions to assign web folder configurations. Hands-on exercises in the course often required a group of students to develop and test security issues together. With the Current settings, each student could only access his or own folder within the web server. It would be very useful if the students could all have access to a given project folder instead of one of the students having to give his login and password to all members of his group.

* Students should be taught that security is no easy fix. They should continue to document, search solutions, review, and refine security issues in the application design process.