Syllabus
IS 2731: Security in E-Business

 
IS 2731
Spring 2016(216-4)
CRN: 20485
Monday 6:00-8:50 Room 405
 
Michael B. Spring
Information Science and Technology
University of Pittsburgh
701B SIS Building
Personal Email: spring@imap.pitt.edu
Class Email: mbsclass@mail.sis.pitt.edu
Office Hours:  Monday-Friday 8:00-6:00
Phone: 412-624-9429

Introduction

Security in E-Business is a graduate course on the design and implementation of information security in e‑business systems.  Given the evolving nature of the field, you will be more involved in setting the structure for the course through research and presentations than would normally be the case. It is also the case that some students will inevitably have working experience in security and their contributions to the current state of security practice will be welcomed.

 

Let’s begin with a word about definitions.  There is little agreement about the meaning and the most appropriate usage of the terms e-business and e-commerce.  You may have noted that while the formal title of the course is “Security in E-Commerce.”  I use the term “E-Bbusiness” in the title of the syllabus.  There is some consensus that e-business includes all aspects of business from supply chain management to customer relationship management.  It is the end to end management of a business using digital means.  E-Commerce is more frequently used to refer to the process of buying and selling on the web.  This suggests that e-commerce is one facet of e-business, and that e-business is much more than e-commerce.  It is in this sense that we use the terms.

 

The course assumes that students are competent programmers with a solid knowledge of operating systems. Because a lot of the examples related to security involve the C language and the Unix operating system, many of the examples given will be with respect to this language and operating system.  Students with limited C programming experience or minimal experience with UNIX may take the course, but should anticipate spending significant additional time working to familiarize themselves with the environment during the course.

Overview

The course will focus on the technology, concepts, issues and principles that are important in the design and implementation of secure e‑business systems. The course will examine technology for protecting both organizations within firewalls and communications between machines across the internet.  It will include discussion of basic security principles, as well as the issues, policy and standards particular to e‑business applications.

The course is divided into five parts:

Course Goals

The goals of the course are:

 

Course Materials

The required book for this course is:

This book covers basic topics which I want to cover in this course. Although the book may give you basic concepts in these topics, you will find that the book does not give a lot of details in many of them. I'll provide additional reading list to you in these topics. Most of the reading materials are available in electronic form via the World Wide Web (WWW). The students are required to read the materials for each topic each week before coming to class.

 

Online resources are very useful in answering questions.  Just a couple starting points would include:

Course Prerequisites

There are several things that you should know before you take this course. The course requires knowledge of Internet protocols and formats, especially the WWW. Basic programming skill in C and C++ or Java is strongly recommended.

Your knowledge of programming (particularly C) and of operating systems (particularly Unix and Windows) will help you in this course. One way to gauge your readiness to take this course is to answer the following questions.  If you can't answer any of them, you will have a tough time with some of the concepts in this course.

The prerequisites for this course are:

·       INFSCI 2560: Web Technologies and Standards‑ Covers HTTP, HTML and Basic servlet programming

·       INFSCI-2150: Introduction to Security: This course will give you the basic concepts and overview of information security

It is recommended, although not required, that you take the following courses prior to or together with this course.

·       INFSCI 2550: Client‑ Server & Workstations – Covers distributed programming and client server systems generally

·       TELCOM 2821: Network Security: Covers fundamental issues and first principles of security and information assurance (confidentiality/ privacy, integrity, authentication, identification, authorization, availability, access control).

 

Course Requirements

Your grade for the course will come from quizzes, participation, and projects.  Your grades will be based on the number of points you earn out of 100 with an A awarded for 90-100, a B for 80-90, a C for 65-80 and an F for 0-65.  As a general rule of thumb, the instructor views a graduate course commitment of 3 hours of homework for every hour of class time.  Thus, over the term your reading and work on projects should absorb about 135 hours.  Thus, a project worth 10 points anticipates you will spend 10 hours on it.  Well prepared students will need less time, and students with weak backgrounds will require more.  The sources of points are as follows:

  1. Your participation in the class discussions and your overall participation in the class will be assessed by the instructor at the end of the term.  Students will be awarded from 0 to 10 points at the instructor’s discretion.
  2. Thirty (30) points will come from three projects.  The three individual projects are each worth 10 points.
    1. Complete the PKI lab and set up your mail system to provide encrypted email for the course using PKI. (10 points)
    2. Develop an active page for display on a client that demonstrates mechanisms to improve the security of information passed to a web server. (10 points)
    3. Produce a piece of server side code that demonstrates as a set of secure coding initiatives.  It should at very least demonstrate how to prevent buffer overflows, injection, and cross site threats.  (10 points)
  3. Depending on the students in the class and your level of engagement, 30 points will be earned on projects assigned or via brief 5 minute in class quizzes on the assigned reading for the week.  If quizzes are used, these exams will be multiple choice and fill in and designed to make sure that you are reading the assigned material before class.  There will likely be six such quizzes with a point value of 5/quiz for a total over the term of 30 points.
  4. The final project will be worth 30 points.  See appendix A for possible final projects.  Students are free to propose their own final project – and the instructor will suggest others as the term proceeds.

Course Policies

Academic Integrity

You are expected to be fully aware of your responsibility to maintain a high quality of integrity in all of your work. All work must be your own, unless collaboration is specifically and explicitly permitted as in the course group project. Any unauthorized collaboration or copying will at minimum result in no credit for the affected assignment and may be subject to further action under the University Guidelines for Academic Integrity. You are expected to have read and understood these Guidelines.

You should pay particular attention to plagiarism and copying.  Specifically:

·       For coding projects, all code that comes from any source other than your head needs to be fully and carefully marked.  This includes code which you have adapted from some source but which is essentially someone else’s work.  Failure to note such use is cause for a grade of 0 on the assignment and may result in an F in the course.  All of your code should be carefully and professionally commented and explained.

·       For papers, every word, phrase, or sentence that is copied from the web or some other paper must be placed in quotes and attributed. i.e. the source from which it is taken must be noted.  Given the prevalence of plagiarism in recent years, you will prepend the following note to any paper you submit.

I assert that all of this paper has been written by me and not copied from any source except where specifically noted by placing material in quotes or blocks with attribution to the source. This includes not only specific words, but ideas that came from some other source (i.e., are not my own).  Basically, if you take an idea from some source and weave it into your own paper, the source should be identified.  You do not have to cite things that are common knowledge - that the average person is very likely to know.  Changing a word or two in a sentence usually does not eliminate the need to use quotation.

Special Considerations

If you have a disability that requires special testing accommodations or other classroom modifications, please, notify both the instructor and Disability Resources and Services by the second week of the term. You may be asked to provide documentation of your disability to determine the appropriateness of accommodations. To notify Disability Resources and Services, call 64807890 (voice or TDD) to schedule an appointment. The office is located in the William Pitt Union, Room 216.

Course Outline

The course outline provides a preliminary outline of the scope and sequence for the course. It is anticipated that there will be some slippage in the schedule if topics require more time than allocated. It is also anticipated that some of the topics in the course scheduled for coverage later in the term will be addressed as they come up in class discussion.

Lecture

Topic

Assignments

1

Introduction: E‑commerce on the Internet

TBD

2

Web Technology and Web Security

Chap. 1-4

3

Vulnerability Trends

OWASP

4

Cryptography Basics

TBD

5

SSL,TLS and PKI

TBD

6

Scripts

Chap. 5-8

7

Coding Issues and Intellectual Property

TBD

8

Securing Web Applications

Chap.9-12

9

Web Browser Security

Chap. 13-15

10

Web Server Security

TBD

11

Biometrics and Digital Identification

TBD

12

Digital Payments

TBD

13

The Future

Chap 16-18

14

Presentations

TBD

 


Appendix A: Possible Final projects

These are a couple suggestions for final projects.  Students in this course are encouraged to carve out a particular final project that meets your interests – what follows are mere4ly suggestions.

1.     Beginning with an existing plan (CERT, Microsoft, CISCO, etc.), develop a tutorial and checklist to be used in setting up a small business/non-profit website that will be appropriately secure and maintainable.

2.     A security implementation plan for a research website.  This would include all aspects of security from physical layout of facilities, selection and configuration of hardware and software, development and deployment procedures, through human resource management, intrusion detection, and contingency plans.

3.     Develop a plug and play component for a website that can be used to increase some particular aspect of security.  There are numerous categories in which this might be done, but consider as examples the following:

·       A self-registration subsystem that allows users to register using an email address where the registration credentials are tied to that email address – i.e. the registration cannot be completed if the email is not valid.

·       A token based reminder system that provides for a two part login providing the user some assurance that the page generated for password submission came from the server they initially registered with.

·       A system that encrypts messages transmitted from the client using DES or some other algorithm and decoded by the server using the appropriate companion algorithm

4.     Public‑Key Infrastructures (PKI) development plan proposal.  This should be a significant indication of your ability to apply your knowledge and your understanding from this course to the real world. You will be given a scenario that you are a committee of the PKI working group of your organization. Your job is to write a proposal of a plan to employ the PKI technology in your organization. The proposal should provide the following information:

·       objectives

·       design of Certificate Authorities (CA) structures

·       the reasons you choose the structure of your choice (advantages vs. disadvantages)

·       policies and functions of the CA in each level of the structure

·       technologies you want to employ, for example, encryption standards, smart card standard, etc. why these technologies are needed.