Management 265Introduction to E-Commerce                Nicholas A. Davis                  Session Two                   0...
Objectives• Software development lifecycle• Build vs. buy decision• Considerations in choosing appropriate hardware  and s...
Assignments Due Today• Read chapters 4 and 5 in the textbook• Submit case study analysis• Discuss an article related to cu...
ISP Analysis•   Contact local ISP: Charter, TDS, AT&T•   Dialup, Cable (broadband), DSL•   Features•   Benefits•   Costs• ...
Group Exercise• Select a website where you like to shop  online• You are in charge of developing a new e-  commerce websit...
System Development             Lifecycle•   Systems Analysis/Planning•   Systems Design•   Building the System•   Testing•...
Best Practices – Systems           Analysis• What do we want to do with e-commerce  and what can it do for our business?• ...
Best Practices – System            Design• System design specification – simply a  description of the main components• Log...
Best Practices – Build vs.             Buy• Outsourcing means that you hire an outside  vendor to provide services• Lately...
Best Practices - Testing• Unit Testing – each module• System Testing – everything together• Acceptance Testing – Internal ...
Best Practices -            Implementation•   Monitor•   Adapt•   Maintain•   Expensive!•   Benchmark to competitors: Spee...
Software and Platform   Selection Considerataions• Operating System – Commercial vs. Open• Commercial benefits – More refi...
E-Commerce Software Tools  Site Management Tools• Identify dead links on your site• Identify orphan files• Traffic patterns
Dynamic Page Generation           Tools• Original web pages had static content• Webpage contents are now often stored as  ...
Discussion•   System Development Lifecycle•   Buy vs. Build decision making•   Software and Platform selection process•   ...
E-Commerce Security
E-Commerce Security           Threats• Malicious code – such as SQL injection• Virus: replicate file to file and deliver a...
E-Commerce Threats• Spyware, browser parasite is a form of  spyware• Malware• Phishing
E-Commerce Threats•   Internal staff•   Contractors•   Janitorial services•   Third party business partners
Class Exercise• What do you believe are the major threats  to e-commerce?• Which solutions can help mitigate these  risks?
Class Article Discussion• Describe the article you found in summary• Describe a leading edge technology that  may change e...
E-Commerce Function Paper• Introduce the company• Introduce the industry sector• Introduce the corporate website• Identify...
E-Commerce Function Paper      (More Detail)• Analyze the corporate website application  and describe the benefits to the ...
Class Exercise• Have you changed your shopping and  banking habits over the past five years?• Do you shop more online than...
Payment Systems•   B2B = Business to Business•   B2G = Business to Government•   C2C = Consumer to Consumer•   G2B = Gover...
B2B• Business-to-business (B2B) describes commerce transactions  between businesses, such as between a manufacturer and a ...
B2G• Business-to-government (B2G) is a derivative of B2B  marketing and often referred to as a market definition of  "publ...
C2C• Consumer-to-consumer (C2C) (or citizen-to-citizen) electronic  commerce involves the electronically-facilitated trans...
G2B• Government-to-Business (abbreviated  G2B) is the online non-commercial  interaction between local and central  govern...
G2C• Government-to-Citizen (abbreviated G2C)  is the online non-commercial interaction  between local and central Governme...
• Consumer-to-business (C2B) is an electronic commerce business  model in which consumers (individuals) offer products and...
What is a Digital Certificate?
Digital Certificates Do a Couple of               Things•Authentication•Digital signing•Encryption
Authentication
Digital Signing
Encryption
Digital Certificates     Continued Digital Certificate   Electronic Passport   Good for authentication   Good non-repudiat...
What is in a Certificate?
Public and Private KeysThe digital certificate has two parts, aPUBLIC key and a PRIVATE keyThe Public Key is distributed t...
Public Key Cryptography
Getting Someone’s Public KeyThe Public Key must be shared to beUsefulIt can be included as part of yourEmail signatureIt c...
Who Could This Public Key  Possibly Belong To?
What is PKI?• PKI is an acronym for Public Key  Infrastructure• It is the system which manages and  controls the lifecycle...
What Is In a PKI?•   Credentialing of individuals•   Generating certificates•   Distributing certificates•   Keeping copie...
Credentialing• Non technical, but the most important part  of a PKI!• A certificate is only as trustworthy as the  underly...
Certificate Generation and            Storage• How do you know who you are dealing with  in the generation process?• Where...
Distributing Certificates • Can be done   remotely – benefits   and drawbacks • Can be done face   to face – benefits   an...
Keeping Copies – Key Escrow     • Benefit –       Available in case       of emergency     • Drawback – Can       be stole...
Certificate Renewal• Just like your passport, digital certificates expire• This is for the safety of the organization and ...
Trusted Root Authorities• A certificate issuer  recognized by all  computers around the  globe• Root certificates are  sto...
It Is All About Trust
Using Certificates to Secure            Email• Best use for certificates, in my opinion• Digital certificate provides proo...
Secure Email is Called       S/MIME• S/MIME = Secure  Multipurpose Mail  Extensions• S/MIME is the industry  standard, not...
Digital Signing of Email• Proves that the email came from you• Invalidates plausible denial• Proves through a checksum tha...
Digital Signatures Do Not Prove When a Message or Document           Was Signed     You need a     neutral third party    ...
Send Me a Signed Email,Please, I Need Your Public Key
Using a Digital Signature for Email              SigningProvides proof that theemail came from thepurported sender…Isthis ...
A Digital Signature Can Be Invalid        For Many Reasons
Why Is Authenticating the Sender         So Important?
What if This Happens at UW-         Madison?    Could cause harm in    a critical situation    Case Scenario        Multip...
Digital Signing Summary   • Provides proof of the     author   • Testifies to message     integrity   • Valuable for both ...
What Encryption Does  Encrypting data with a  digital certificate  Secures it end to end.  • While in transit  • Across th...
Encryption Protects the Data At       Rest and In TransitPhysical theft from officePhysical theft from airportVirtual thef...
Why Encryption is Important   •   Keeps private information private   •   HIPAA, FERPA, SOX, GLB compliance   •   Propriet...
What does it actually look like in practice?                -Sending-
What does it actually look like  in practice (unlocking my         private key)          -receiving-
What does it actually look like in practice?         -receiving- (decrypted)
Digitally signed and verified;          Encrypted
What does it look like in practice?    -receiving- (intercepted)
Intercepting the Data in Transit
New Applications Coming                   Online This Summer!•   Bye bye old ID card!•   Hello Smartcard!•   One card does...
Digital Certificates For Machines                Too• SSL – Secure Socket  Layer• Protection of data in  transit• Protecti...
Benefits of Using Digital      Certificates   Provide global assurance of your identity,   both internally and externally ...
Who Uses Digital Certificates at        UW-Madison?      DoIT      UW Police and Security      Office of the Registrar    ...
Who Uses Digital Certificates   Besides UW-Madison?     US Department of Defense     US Department of Homeland     Securit...
The Telephone Analogy   When the   telephone was   invented, it was   hard to sell.   It needed to   reach critical   mass...
That All Sounds Great in Theory,     But Do I Really Need It?• The world seems to  get along just fine  without digital  c...
We Have Internal Threats Too      @ UW-Madison!
Class Exercise• Encryption, Public Key Cryptography,  Digital Signing• Draw and discuss diagrams• 5.9, 5.10, 5.11• Pages, ...
Class Discussion• Protecting privacy and intellectual property (encryption  and digital signing)• Internet Protocols (http...
PayPal Case Study Analysis         Discussion• What is the value propositions that PayPal  offers consumers? How about Mer...
Wow, That Was a Lot!• My favorite area of e-commerce is security!• Questions, comments, further discussion?• Assignments f...
Additional Concerns
Upcoming SlideShare
Loading in …5
×

Software Development Lifecycle

684 views

Published on

  • Be the first to comment

Software Development Lifecycle

  1. 1. Management 265Introduction to E-Commerce Nicholas A. Davis Session Two 09/22/2009
  2. 2. Objectives• Software development lifecycle• Build vs. buy decision• Considerations in choosing appropriate hardware and software• Considerations for monitoring and improving website performance• Identify key security threats to e-commerce• Describe tools used to ensure security• Explain online payment processes• Describe features of bill presentment and payment
  3. 3. Assignments Due Today• Read chapters 4 and 5 in the textbook• Submit case study analysis• Discuss an article related to cutting edge technology used in e-commerce• Submit ISP analysis• Develop action plan for e-commerce paper
  4. 4. ISP Analysis• Contact local ISP: Charter, TDS, AT&T• Dialup, Cable (broadband), DSL• Features• Benefits• Costs• Drawbacks
  5. 5. Group Exercise• Select a website where you like to shop online• You are in charge of developing a new e- commerce website for this company• Draw a diagram representing the System Development Lifecycle
  6. 6. System Development Lifecycle• Systems Analysis/Planning• Systems Design• Building the System• Testing• Implementation/Service Delivery• Let’s examine each
  7. 7. Best Practices – Systems Analysis• What do we want to do with e-commerce and what can it do for our business?• Let business decisions drive the technology• Identify objectives and then identify technical functionality to meet those objectives• The real difference in planning for and e- commerce store vs. a retail store
  8. 8. Best Practices – System Design• System design specification – simply a description of the main components• Logical Design is the data flow• Physical Design translates the logical design into physical components
  9. 9. Best Practices – Build vs. Buy• Outsourcing means that you hire an outside vendor to provide services• Lately, outsourcing has become a touchy subject, a more politically correct term is “Co-Managed”• Build: Out of the box, benefits, drawbacks• Host: Benefits, drawbacks• Build and Host• Class’s opinion?• Instructor’s opinion!
  10. 10. Best Practices - Testing• Unit Testing – each module• System Testing – everything together• Acceptance Testing – Internal AS WELL as external facing testing is important.
  11. 11. Best Practices - Implementation• Monitor• Adapt• Maintain• Expensive!• Benchmark to competitors: Speed, Quality, Design, Pricing, Promotions, Keeping Current
  12. 12. Software and Platform Selection Considerataions• Operating System – Commercial vs. Open• Commercial benefits – More refined, mature, supported• Commercial drawbacks – Higher purchase cost, more well known to hackers, may be less robust….Less so currently• Open Source benefits – cheaper (or free), lesser known to hackers, may be more robust• Open Source drawbacks – Less user friendly (requires more expertise), little or no support, less mature in some areas, so SLA available
  13. 13. E-Commerce Software Tools Site Management Tools• Identify dead links on your site• Identify orphan files• Traffic patterns
  14. 14. Dynamic Page Generation Tools• Original web pages had static content• Webpage contents are now often stored as objects in a database• The advantage of modern architecture is dynamic, user specific page generation• Open Database Connectivity standard (ODBC), means that a web server can connect to virtually any backend database, regardless of vendor
  15. 15. Discussion• System Development Lifecycle• Buy vs. Build decision making• Software and Platform selection process• E-commerce software tools
  16. 16. E-Commerce Security
  17. 17. E-Commerce Security Threats• Malicious code – such as SQL injection• Virus: replicate file to file and deliver a payload• Worm: replicate computer to computer• Trojan Horse: looks harmless, but isn’t• Bot: waits and then executes commands received from an external source, making your computer a “zombie”
  18. 18. E-Commerce Threats• Spyware, browser parasite is a form of spyware• Malware• Phishing
  19. 19. E-Commerce Threats• Internal staff• Contractors• Janitorial services• Third party business partners
  20. 20. Class Exercise• What do you believe are the major threats to e-commerce?• Which solutions can help mitigate these risks?
  21. 21. Class Article Discussion• Describe the article you found in summary• Describe a leading edge technology that may change e-commerce• How will it change?• Will it make it better or worse from the viewpoint of the consumer and the service provider?
  22. 22. E-Commerce Function Paper• Introduce the company• Introduce the industry sector• Introduce the corporate website• Identify the company mission and vision• Identify methods used to create value for its customers• Describe the web application and function being analyzed
  23. 23. E-Commerce Function Paper (More Detail)• Analyze the corporate website application and describe the benefits to the organization• Critique the content, context and infrastructure of the website from the customer perspective• Provide an overall critique of the website, including a SWOT analysis• Make recommendations for improvement
  24. 24. Class Exercise• Have you changed your shopping and banking habits over the past five years?• Do you shop more online than you used to?• Do you use and trust PayPal? 1 to 10 scale• What is your confidence level?
  25. 25. Payment Systems• B2B = Business to Business• B2G = Business to Government• C2C = Consumer to Consumer• G2B = Government to Business• G2C = Government to Citizen• C2B = Consumer to Business
  26. 26. B2B• Business-to-business (B2B) describes commerce transactions between businesses, such as between a manufacturer and a wholesaler, or between a wholesaler and a retailer. Contrasting terms are business-to-consumer (B2C) and business-to-government (B2G).• The volume of B2B transactions is much higher than the volume of B2C transactions. The primary reason for this is that in a typical supply chain there will be many B2B transactions involving subcomponent or raw materials, and only one B2C transaction, specifically sale of the finished product to the end customer. For example, an automobile manufacturer makes several B2B transactions such as buying tires, glass for windshields, and rubber hoses for its vehicles. The final transaction, a finished vehicle sold to the consumer, is a single (B2C) transaction.
  27. 27. B2G• Business-to-government (B2G) is a derivative of B2B marketing and often referred to as a market definition of "public sector marketing" which encompasses marketing products and services to government agencies through integrated marketing communications techniques such as strategic public relations, branding, marcom, advertising, and web-based communications.• B2G networks allow businesses to bid on government RFPs in a reverse auction fashion. Public sector organizations (PSOs) post tenders in the form of RFPs, RFIs, RFQs etc. and suppliers respond to them.
  28. 28. C2C• Consumer-to-consumer (C2C) (or citizen-to-citizen) electronic commerce involves the electronically-facilitated transactions between consumers through some third party. A common example is the online auction, in which a consumer posts an item for sale and other consumers bid to purchase it; the third party generally charges a flat fee or commission. The sites are only intermediaries, just there to match consumers. They do not have to check quality of the products being offered.• This type of e-commerce is expected to increase in the future because it cuts out the costs of using another company. An example on cited in Management Information Systems, is for someone having a garage sale to promote their sale via advertising transmitted to the GPS units of cars in the area. This would potentially reach a larger audience than just posting signs around the neighborhood.
  29. 29. G2B• Government-to-Business (abbreviated G2B) is the online non-commercial interaction between local and central government and the commercial business sector, rather than private individuals (G2C). For example http://www.dti.gov.uk is a government web site where businesses can get information and advice on e- business best practices
  30. 30. G2C• Government-to-Citizen (abbreviated G2C) is the online non-commercial interaction between local and central Government and private individuals, rather than the commercial business sector G2B. For example Government sectors become visibly open to the public domain via a Web Portal. Thus making public services and information accessible to all. One such web portal is Government Gateway.
  31. 31. • Consumer-to-business (C2B) is an electronic commerce business model in which consumers (individuals) offer products and services to companies and the companies pay them. This business model is a complete reversal of traditional business model where companies offer goods and services to consumers (business-to-consumer = B2C).• This kind of economic relationship is qualified as an inverted business type. The advent of the C2B scheme is due to major changes:• Connecting a large group of people to a bidirectional network has made this sort of commercial relationship possible. The large traditional media outlets are one direction relationship whereas the internet is bidirectional one.• Decreased cost of technology : Individuals now have access to technologies that were once only available to large companies ( digital printing and acquisition technology, high performance computer, powerful software)
  32. 32. What is a Digital Certificate?
  33. 33. Digital Certificates Do a Couple of Things•Authentication•Digital signing•Encryption
  34. 34. Authentication
  35. 35. Digital Signing
  36. 36. Encryption
  37. 37. Digital Certificates Continued Digital Certificate Electronic Passport Good for authentication Good non-repudiation Proof of authorship Proof of non-altered content Encryption! Better than username - password
  38. 38. What is in a Certificate?
  39. 39. Public and Private KeysThe digital certificate has two parts, aPUBLIC key and a PRIVATE keyThe Public Key is distributed toeveryoneThe Private Key is held very closelyAnd NEVER sharedPublic Key is used for encryption andverification of a digital signaturePrivate Key is used for Digital signing anddecryption
  40. 40. Public Key Cryptography
  41. 41. Getting Someone’s Public KeyThe Public Key must be shared to beUsefulIt can be included as part of yourEmail signatureIt can be looked up in an LDAPDirectoryCan you think of the advantages anddisadvantages of each method?
  42. 42. Who Could This Public Key Possibly Belong To?
  43. 43. What is PKI?• PKI is an acronym for Public Key Infrastructure• It is the system which manages and controls the lifecycle of digital certificates• The PKI has many features
  44. 44. What Is In a PKI?• Credentialing of individuals• Generating certificates• Distributing certificates• Keeping copies of certificates• Reissuing certificates• Revoking Certificates
  45. 45. Credentialing• Non technical, but the most important part of a PKI!• A certificate is only as trustworthy as the underlying credentialing and management system• Certificate Policies and Certificate Practices Statement
  46. 46. Certificate Generation and Storage• How do you know who you are dealing with in the generation process?• Where you keep the certificate is important
  47. 47. Distributing Certificates • Can be done remotely – benefits and drawbacks • Can be done face to face – benefits and drawbacks
  48. 48. Keeping Copies – Key Escrow • Benefit – Available in case of emergency • Drawback – Can be stolen • Compromise is the best! • Use Audit Trails, separation of duties and good accounting controls for key escrow
  49. 49. Certificate Renewal• Just like your passport, digital certificates expire• This is for the safety of the organization and those who do business with it• Short lifetime – more assurance of validity but a pain to renew• Long lifetime – less assurance of validity, but easier to manage• Use a Certificate Revocation List if you are unsure of certificate validity
  50. 50. Trusted Root Authorities• A certificate issuer recognized by all computers around the globe• Root certificates are stored in the computer’s central certificate store• Requires a stringent audit and a lot of money!
  51. 51. It Is All About Trust
  52. 52. Using Certificates to Secure Email• Best use for certificates, in my opinion• Digital certificate provides proof that the email did indeed come from the purported sender• Public key enables encryption and ensures that the message can only be read by the intended recipient
  53. 53. Secure Email is Called S/MIME• S/MIME = Secure Multipurpose Mail Extensions• S/MIME is the industry standard, not a point solution, unique to a specific vendor
  54. 54. Digital Signing of Email• Proves that the email came from you• Invalidates plausible denial• Proves through a checksum that the contents of the email were not altered while in transit• Provides a mechanism to distribute your public key• Does NOT prove when you sent the email
  55. 55. Digital Signatures Do Not Prove When a Message or Document Was Signed You need a neutral third party time stamping service, similar to how hostages often have their pictures taken in front of a newspaper to prove they are still alive!
  56. 56. Send Me a Signed Email,Please, I Need Your Public Key
  57. 57. Using a Digital Signature for Email SigningProvides proof that theemail came from thepurported sender…Isthis email really fromVice President Cheney?Provides proof that thecontents of the emailhave not been alteredfrom the originalform…Should wereally invade Canada?
  58. 58. A Digital Signature Can Be Invalid For Many Reasons
  59. 59. Why Is Authenticating the Sender So Important?
  60. 60. What if This Happens at UW- Madison? Could cause harm in a critical situation Case Scenario Multiple hoax emails sent with Chancellor’s name and email. When real crisis arrives, people might not believe the warning. It is all about trust!
  61. 61. Digital Signing Summary • Provides proof of the author • Testifies to message integrity • Valuable for both individual or mass email • Supported by Wiscmail Web client (used by 80% of students)
  62. 62. What Encryption Does Encrypting data with a digital certificate Secures it end to end. • While in transit • Across the network • While sitting on email servers • While in storage • On your desktop computer • On your laptop computer • On a server
  63. 63. Encryption Protects the Data At Rest and In TransitPhysical theft from officePhysical theft from airportVirtual theft over the network
  64. 64. Why Encryption is Important • Keeps private information private • HIPAA, FERPA, SOX, GLB compliance • Proprietary research • Human Resource issues • Legal Issues • PR Issues • Industrial Espionage • Over-intrusive Government • You never know who is listening and watching!
  65. 65. What does it actually look like in practice? -Sending-
  66. 66. What does it actually look like in practice (unlocking my private key) -receiving-
  67. 67. What does it actually look like in practice? -receiving- (decrypted)
  68. 68. Digitally signed and verified; Encrypted
  69. 69. What does it look like in practice? -receiving- (intercepted)
  70. 70. Intercepting the Data in Transit
  71. 71. New Applications Coming Online This Summer!• Bye bye old ID card!• Hello Smartcard!• One card does it all!• Email encryption, document signing, web access to sensitive applications and whole disk encryption
  72. 72. Digital Certificates For Machines Too• SSL – Secure Socket Layer• Protection of data in transit• Protection of data at rest• Where is the greater threat?• Our certs protect both!
  73. 73. Benefits of Using Digital Certificates Provide global assurance of your identity, both internally and externally to the UW-Madison Provide assurance of message authenticity and data integrity Keeps private information private, end to end, while in transit and storage You don’t need to have a digital certificate To verify someone else’s digital signature Can be used for individual or generic mail accounts.
  74. 74. Who Uses Digital Certificates at UW-Madison? DoIT UW Police and Security Office of the Registrar Office of Financial Aid Office of Admissions Primate Research Lab Medical School Bucky Badger, because he’s a team player and slightly paranoid about his basketball plays being stolen
  75. 75. Who Uses Digital Certificates Besides UW-Madison? US Department of Defense US Department of Homeland Security All Western European countries New US Passport Dartmouth College University of Texas at Austin Johnson & Johnson Raytheon Others
  76. 76. The Telephone Analogy When the telephone was invented, it was hard to sell. It needed to reach critical mass and then everyone wanted one.
  77. 77. That All Sounds Great in Theory, But Do I Really Need It?• The world seems to get along just fine without digital certificates…• Oh, really?• Let’s talk about some recent stories
  78. 78. We Have Internal Threats Too @ UW-Madison!
  79. 79. Class Exercise• Encryption, Public Key Cryptography, Digital Signing• Draw and discuss diagrams• 5.9, 5.10, 5.11• Pages, 284, 287, 288 in textbook
  80. 80. Class Discussion• Protecting privacy and intellectual property (encryption and digital signing)• Internet Protocols (http vs. https) Is https safe enough (Hint, think about the ENTIRE system, including data in TRANSIT as well as data at REST)• Tools to ensure Internet security (Hint, host based tools such as AV and Firewalls, Intrusion Detection, Intrusion Prevention, Honeypots, Physical Security, Employee training, Social Engineering• Functional requirements for conducting financial transactions on the web (Hint, Authentication, Authorization, Securing data in transit, Securing data in storage, data retention policies, PCI compliance
  81. 81. PayPal Case Study Analysis Discussion• What is the value propositions that PayPal offers consumers? How about Merchants?• What are some of the risks of using PayPal when compared to credit cards and debit cards?• What strategy would you recommend that PayPal pursue in order to maintain its growth over the next five years?• Why are cell phone networks a threat to Paypal’s future growth?
  82. 82. Wow, That Was a Lot!• My favorite area of e-commerce is security!• Questions, comments, further discussion?• Assignments for next session:• Read chapters 6 to 8 in the textbook• Submit Ethical Implications paper• Select an article to discuss in class that involves ethical or legal issues in e-commerce• Project team, case study----you pick!• Work on your e-commerce function paper
  83. 83. Additional Concerns

×