Software Development Lifecycle

Management 265Introduction to E-Commerce

Nicholas A. Davis

Session Two

09/22/2009

Objectives• Software development lifecycle• Build vs. buy decision• Considerations in choosing appropriate hardware

and software• Considerations for monitoring and improving

website performance• Identify key security threats to e-commerce• Describe tools used to ensure security• Explain online payment processes• Describe features of bill presentment and

payment

Assignments Due Today

• Read chapters 4 and 5 in the textbook

• Submit case study analysis

• Discuss an article related to cutting edge technology used in e-commerce

• Submit ISP analysis

• Develop action plan for e-commerce paper

ISP Analysis

• Contact local ISP: Charter, TDS, AT&T

• Dialup, Cable (broadband), DSL

• Features

• Benefits

• Costs

• Drawbacks

Group Exercise

• Select a website where you like to shop online

• You are in charge of developing a new e-commerce website for this company

• Draw a diagram representing the System Development Lifecycle

System Development Lifecycle

• Systems Analysis/Planning

• Systems Design

• Building the System

• Testing

• Implementation/Service Delivery

• Let’s examine each

Best Practices – Systems Analysis

• What do we want to do with e-commerce and what can it do for our business?

• Let business decisions drive the technology

• Identify objectives and then identify technical functionality to meet those objectives

• The real difference in planning for and e-commerce store vs. a retail store

Best Practices – System Design

• System design specification – simply a description of the main components

• Logical Design is the data flow

• Physical Design translates the logical design into physical components

Best Practices – Build vs. Buy

• Outsourcing means that you hire an outside vendor to provide services

• Lately, outsourcing has become a touchy subject, a more politically correct term is “Co-Managed”

• Build: Out of the box, benefits, drawbacks• Host: Benefits, drawbacks• Build and Host• Class’s opinion?• Instructor’s opinion!

Best Practices - Testing

• Unit Testing – each module

• System Testing – everything together

• Acceptance Testing – Internal AS WELL as external facing testing is important.

Best Practices - Implementation

• Monitor

• Adapt

• Maintain

• Expensive!

• Benchmark to competitors: Speed, Quality, Design, Pricing, Promotions, Keeping Current

Software and Platform Selection Considerataions

• Operating System – Commercial vs. Open• Commercial benefits – More refined, mature,

supported• Commercial drawbacks – Higher purchase cost,

more well known to hackers, may be less robust….Less so currently

• Open Source benefits – cheaper (or free), lesser known to hackers, may be more robust

• Open Source drawbacks – Less user friendly (requires more expertise), little or no support, less mature in some areas, so SLA available

E-Commerce Software ToolsSite Management Tools

• Identify dead links on your site

• Identify orphan files

• Traffic patterns

Dynamic Page Generation Tools

• Original web pages had static content

• Webpage contents are now often stored as objects in a database

• The advantage of modern architecture is dynamic, user specific page generation

• Open Database Connectivity standard (ODBC), means that a web server can connect to virtually any backend database, regardless of vendor

Discussion

• System Development Lifecycle

• Buy vs. Build decision making

• Software and Platform selection process

• E-commerce software tools

E-Commerce Security

E-Commerce Security Threats

• Malicious code – such as SQL injection

• Virus: replicate file to file and deliver a payload

• Worm: replicate computer to computer

• Trojan Horse: looks harmless, but isn’t

• Bot: waits and then executes commands received from an external source, making your computer a “zombie”

E-Commerce Threats

• Spyware, browser parasite is a form of spyware

• Malware

• Phishing

E-Commerce Threats

• Internal staff

• Contractors

• Janitorial services

• Third party business partners

Class Exercise

• What do you believe are the major threats to e-commerce?

• Which solutions can help mitigate these risks?

Class Article Discussion

• Describe the article you found in summary

• Describe a leading edge technology that may change e-commerce

• How will it change?

• Will it make it better or worse from the viewpoint of the consumer and the service provider?

E-Commerce Function Paper

• Introduce the company

• Introduce the industry sector

• Introduce the corporate website

• Identify the company mission and vision

• Identify methods used to create value for its customers

• Describe the web application and function being analyzed

E-Commerce Function Paper(More Detail)

• Analyze the corporate website application and describe the benefits to the organization

• Critique the content, context and infrastructure of the website from the customer perspective

• Provide an overall critique of the website, including a SWOT analysis

• Make recommendations for improvement

Class Exercise

• Have you changed your shopping and banking habits over the past five years?

• Do you shop more online than you used to?

• Do you use and trust PayPal? 1 to 10 scale

• What is your confidence level?

Payment Systems

• B2B = Business to Business

• B2G = Business to Government

• C2C = Consumer to Consumer

• G2B = Government to Business

• G2C = Government to Citizen

• C2B = Consumer to Business

B2B• Business-to-business (B2B) describes commerce transactions

between businesses, such as between a manufacturer and a wholesaler, or between a wholesaler and a retailer. Contrasting terms are business-to-consumer (B2C) and business-to-government (B2G).

• The volume of B2B transactions is much higher than the volume of B2C transactions. The primary reason for this is that in a typical supply chain there will be many B2B transactions involving subcomponent or raw materials, and only one B2C transaction, specifically sale of the finished product to the end customer. For example, an automobile manufacturer makes several B2B transactions such as buying tires, glass for windshields, and rubber hoses for its vehicles. The final transaction, a finished vehicle sold to the consumer, is a single (B2C) transaction.

B2G• Business-to-government (B2G) is a derivative of B2B

marketing and often referred to as a market definition of "public sector marketing" which encompasses marketing products and services to government agencies through integrated marketing communications techniques such as strategic public relations, branding, marcom, advertising, and web-based communications.

• B2G networks allow businesses to bid on government RFPs in a reverse auction fashion. Public sector organizations (PSO's) post tenders in the form of RFP's, RFI's, RFQ's etc. and suppliers respond to them.

C2C• Consumer-to-consumer (C2C) (or citizen-to-citizen) electronic

commerce involves the electronically-facilitated transactions between consumers through some third party. A common example is the online auction, in which a consumer posts an item for sale and other consumers bid to purchase it; the third party generally charges a flat fee or commission. The sites are only intermediaries, just there to match consumers. They do not have to check quality of the products being offered.

• This type of e-commerce is expected to increase in the future because it cuts out the costs of using another company. An example on cited in Management Information Systems, is for someone having a garage sale to promote their sale via advertising transmitted to the GPS units of cars in the area. This would potentially reach a larger audience than just posting signs around the neighborhood.

G2B

• Government-to-Business (abbreviated G2B) is the online non-commercial interaction between local and central government and the commercial business sector, rather than private individuals (G2C). For example http://www.dti.gov.uk is a government web site where businesses can get information and advice on e-business best practices

G2C

• Government-to-Citizen (abbreviated G2C) is the online non-commercial interaction between local and central Government and private individuals, rather than the commercial business sector G2B. For example Government sectors become visibly open to the public domain via a Web Portal. Thus making public services and information accessible to all. One such web portal is Government Gateway.

• Consumer-to-business (C2B) is an electronic commerce business model in which consumers (individuals) offer products and services to companies and the companies pay them. This business model is a complete reversal of traditional business model where companies offer goods and services to consumers (business-to-consumer = B2C).

• This kind of economic relationship is qualified as an inverted business type. The advent of the C2B scheme is due to major changes:

• Connecting a large group of people to a bidirectional network has made this sort of commercial relationship possible. The large traditional media outlets are one direction relationship whereas the internet is bidirectional one.

• Decreased cost of technology : Individuals now have access to technologies that were once only available to large companies ( digital printing and acquisition technology, high performance computer, powerful software)

What is a Digital Certificate?

Digital Certificates Do a Couple of Things

•Authentication

•Digital signing

•Encryption

Authentication

Digital Signing

Encryption

Digital Certificates Continued

Digital CertificateElectronic Passport

Good for authentication

Good non-repudiation

Proof of authorship

Proof of non-altered content

Encryption!

Better than username - password

What is in a Certificate?

Public and Private KeysThe digital certificate has two parts, aPUBLIC key and a PRIVATE keyThe Public Key is distributed toeveryoneThe Private Key is held very closelyAnd NEVER sharedPublic Key is used for encryption andverification of a digital signaturePrivate Key is used for Digital signing anddecryption

Public Key Cryptography

Getting Someone’s Public KeyThe Public Key must be shared to beUsefulIt can be included as part of yourEmail signatureIt can be looked up in an LDAPDirectoryCan you think of the advantages anddisadvantages of each method?

Who Could This Public Key Possibly Belong To?

What is PKI?

• PKI is an acronym for Public Key Infrastructure

• It is the system which manages and controls the lifecycle of digital certificates

• The PKI has many features

What Is In a PKI?• Credentialing of individuals

• Generating certificates

• Distributing certificates

• Keeping copies of certificates

• Reissuing certificates

• Revoking Certificates

Credentialing

• Non technical, but the most important part of a PKI!

• A certificate is only as trustworthy as the underlying credentialing and management system

• Certificate Policies and Certificate Practices Statement

Certificate Generation and Storage

• How do you know who you are dealing with in the generation process?

• Where you keep the certificate is important

Distributing Certificates

• Can be done remotely – benefits and drawbacks

• Can be done face to face – benefits and drawbacks

Keeping Copies – Key Escrow

• Benefit – Available in case of emergency

• Drawback – Can be stolen

• Compromise is the best!

• Use Audit Trails, separation of duties and good accounting controls for key escrow

Certificate Renewal• Just like your passport, digital certificates expire• This is for the safety of the organization and

those who do business with it• Short lifetime – more assurance of validity but a

pain to renew• Long lifetime – less assurance of validity, but

easier to manage• Use a Certificate Revocation List if you are

unsure of certificate validity

Trusted Root Authorities

• A certificate issuer recognized by all computers around the globe

• Root certificates are stored in the computer’s central certificate store

• Requires a stringent audit and a lot of money!

It Is All About Trust

Using Certificates to Secure Email

• Best use for certificates, in my opinion

• Digital certificate provides proof that the email did indeed come from the purported sender

• Public key enables encryption and ensures that the message can only be read by the intended recipient

Secure Email is Called S/MIME

• S/MIME = Secure Multipurpose Mail Extensions

• S/MIME is the industry standard, not a point solution, unique to a specific vendor

Digital Signing of Email• Proves that the email came from you• Invalidates plausible denial• Proves through a checksum that the

contents of the email were not altered while in transit

• Provides a mechanism to distribute your public key

• Does NOT prove when you sent the email

Digital Signatures Do Not Prove When a Message or Document Was Signed

You need a neutral third party time stamping service, similar to how hostages often have their pictures taken in front of a newspaper to prove they are still alive!

Send Me a Signed Email, Please, I Need Your Public Key

Using a Digital Signature for Email Signing

Provides proof that theemail came from thepurported sender…Isthis email really fromVice President Cheney? Provides proof that thecontents of the emailhave not been alteredfrom the originalform…Should wereally invade Canada?

A Digital Signature Can Be Invalid For Many Reasons

Why Is Authenticating the Sender So Important?

What if This Happens at UW-Madison?

Could cause harm in

a critical situation

Case Scenario

Multiple hoax emails sent with Chancellor’s name and email.

When real crisis arrives, people might not believe the warning.

It is all about trust!

Digital Signing Summary

• Provides proof of the author

• Testifies to message integrity

• Valuable for both individual or mass email

• Supported by Wiscmail Web client (used by 80% of students)

What Encryption Does

Encrypting data with a digital certificateSecures it end to end.• While in transit• Across the network• While sitting on email

servers• While in storage• On your desktop

computer• On your laptop

computer• On a server

Encryption Protects the Data At Rest and In Transit

Physical theft from office

Physical theft from airport

Virtual theft over the network

Why Encryption is Important• Keeps private information private• HIPAA, FERPA, SOX, GLB compliance• Proprietary research• Human Resource issues• Legal Issues• PR Issues• Industrial Espionage• Over-intrusive Government• You never know who is

listening and watching!

What does it actually look like in practice? -Sending-

What does it actually look like in practice (unlocking my private

key)-receiving-

What does it actually look like in practice?-receiving- (decrypted)

Digitally signed and verified; Encrypted

What does it look like in practice?-receiving- (intercepted)

Intercepting the Data in Transit

New Applications Coming Online This Summer!

• Bye bye old ID card!• Hello Smartcard!• One card does it all!• Email encryption,

document signing, web access to sensitive applications and whole disk encryption

Digital Certificates For Machines Too

• SSL – Secure Socket Layer

• Protection of data in transit

• Protection of data at rest

• Where is the greater threat?

• Our certs protect both!

Benefits of Using Digital Certificates

Provide global assurance of your identity,both internally and externally to the UW-MadisonProvide assurance of message authenticityand data integrityKeeps private information private, end toend, while in transit and storageYou don’t need to have a digital certificateTo verify someone else’s digital signatureCan be used for individual or generic mailaccounts.

Who Uses Digital Certificates at UW-Madison?

DoITUW Police and SecurityOffice of the RegistrarOffice of Financial AidOffice of AdmissionsPrimate Research LabMedical SchoolBucky Badger, because he’s a teamplayer and slightly paranoid about hisbasketball plays being stolen

Who Uses Digital Certificates Besides UW-Madison?

US Department of DefenseUS Department of HomelandSecurityAll Western European countriesNew US PassportDartmouth CollegeUniversity of Texas at AustinJohnson & JohnsonRaytheonOthers

The Telephone Analogy

When the

telephone was

invented, it was

hard to sell.

It needed to

reach critical

mass and then

everyone wanted

one.

That All Sounds Great in Theory, But Do I Really Need It?

• The world seems to get along just fine without digital certificates…

• Oh, really?• Let’s talk about some

recent stories

We Have Internal Threats Too @ UW-Madison!

Class Exercise

• Encryption, Public Key Cryptography, Digital Signing

• Draw and discuss diagrams

• 5.9, 5.10, 5.11

• Pages, 284, 287, 288 in textbook

Class Discussion• Protecting privacy and intellectual property (encryption

and digital signing)• Internet Protocols (http vs. https) Is https safe enough

(Hint, think about the ENTIRE system, including data in TRANSIT as well as data at REST)

• Tools to ensure Internet security (Hint, host based tools such as AV and Firewalls, Intrusion Detection, Intrusion Prevention, Honeypots, Physical Security, Employee training, Social Engineering

• Functional requirements for conducting financial transactions on the web (Hint, Authentication, Authorization, Securing data in transit, Securing data in storage, data retention policies, PCI compliance

PayPal Case Study Analysis Discussion

• What is the value propositions that PayPal offers consumers? How about Merchants?

• What are some of the risks of using PayPal when compared to credit cards and debit cards?

• What strategy would you recommend that PayPal pursue in order to maintain its growth over the next five years?

• Why are cell phone networks a threat to Paypal’s future growth?

Wow, That Was a Lot!

• My favorite area of e-commerce is security!• Questions, comments, further discussion?• Assignments for next session:• Read chapters 6 to 8 in the textbook• Submit Ethical Implications paper• Select an article to discuss in class that involves

ethical or legal issues in e-commerce• Project team, case study----you pick!• Work on your e-commerce function paper

Additional Concerns