Table of Contents Chapter One: Introduction..............................................................................................................5 1.1 Background Study................................................................................................................5 1.2 Problem Statement................................................................................................................6 1.3 Project Aims and Objectives.................................................................................................6 1.4Scope of Study................................................................................................................7 1.5Background of the study.................................................................................................7 Chapter 2: Overview of Security Issues in E-commerce.................................................................9 2.1 Definition of terms..............................................................................................................10 Chapter 3: Literature review.........................................................................................................11 3.1 Literature Review...............................................................................................................11 3.1.1 The Underlying Principles in Online Shopping using Credit Card and PayPal............11 3.1.2 E-commerce Security Tools.........................................................................................14 3.1.3 Firewalls......................................................................................................................15 3.1.4 Types of Firewalls........................................................................................................16 3.1.5 Public Key infrastructure.............................................................................................17 3.1.6 Encryption software Tools...........................................................................................18 3.1.7 Digital Certificates and Signatures Security Tool........................................................20 3.1.8 Biometrics Security Tool.............................................................................................22 3.1.9 Passwords Security Tool..............................................................................................23 3.1.10 Major Threat Modelling Approaches.........................................................................24 3.1.11 Benefit of Effective E-commerce Security.................................................................28 Chapter 4: Methodology...............................................................................................................30 4.1 System Methodology..........................................................................................................30 4.1.1 Prototype Method.........................................................................................................31 4.1.2 Dynamic Systems Development Model (DSDM)........................................................31 4.1.3 Spring Model...............................................................................................................32 4.1.4 Agile Scrum methodology...........................................................................................33 4.1.5 Ethical consideration conducted the following process:...............................................34 4.2 Data Collection...................................................................................................................35 4.3 Evidence of the interview Conducted Online (Template)...................................................36 4.4 Interview Summary.............................................................................................................38 4.5 Data Analysis from the Interview.......................................................................................39 A. Security Issues Associated with E-Bay App System........................................................39 B. Security Issues Associated with Amazon App System.....................................................40
C. Security Issues Associated with Konga App System........................................................40 Chapter 5: Implementation and Results........................................................................................41 4.1 Evidence of Developing a New Threat Modelling Technique............................................41 4.1.1 Project Result Website.................................................................................................41 4.2 Project Result Discussion...................................................................................................43 Goals.....................................................................................................................................43 Newly Developed E-commerce Application Decomposition................................................45 Application Entry Point........................................................................................................46 Application Assets................................................................................................................47 Application Security Trust Level..........................................................................................49 Application Security Data Flow Diagram.............................................................................50 Determining high ranking threats..........................................................................................51 Determining possible countermeasures and mitigation.........................................................53 Amazon E-commerce Application Decomposition...............................................................54 Amazon Entry Point..............................................................................................................55 Amazon Security Asset.........................................................................................................56 Amazon Security Trust level.................................................................................................58 Amazon Security Data Flow Diagram..................................................................................59 4.3 Evaluation of the Result......................................................................................................61 Chapter 6: Summary and Conclusion...........................................................................................62 6.1 Summary.........................................................................................................................62 6.2 Conclusion......................................................................................................................71 6.3 Recommendation............................................................................................................72 References....................................................................................................................................74 Appendix......................................................................................................................................82 1. Time Scale Plan................................................................................................................82 2. Support Used....................................................................................................................82 3. Skills Audit.......................................................................................................................83 Figure 1:E-commerce Shopping Cycle........................................................................................13 Figure 2:Encryption and Decryption Diagrammatic representation.............................................19 Figure 3:Digital signature Process...............................................................................................21 Figure 4:Stride Threat Modelling Approach................................................................................26 Figure 5:Diagram showing an Attack Tree on Credit Card System.............................................28 Figure 6: Diagrammatic representation of Spring Model methodology........................................32 Figure 7: Diagrammatic Representation of Scrum Iteration..........................................................34
Figure 8: Screenshot One showing the Website Page of the threat Modell for Securing E- commerce Application..................................................................................................................41 Figure 9: Screenshot two showing the Website Page of the threat Modell for Securing E- commerce Application..................................................................................................................42 Figure 10: Screenshot One showing the Website Page of the threat modelling for Securing E- commerce Application..................................................................................................................42 Figure 11:New Application Security Data Flow Diagram...........................................................51 Figure 12:Amazon online Application Security Data Flow Diagram...........................................59 Table 1: Newly Developed E-commerce Application Decomposition..........................................46 Table 2: Application Entry Point..................................................................................................47 Table 3: Application Assets..........................................................................................................49 Table 4: Application Security Trust Level....................................................................................50 Table 5: High Ranking Threats.....................................................................................................53 Table 6: Countermeasures and Mitigation....................................................................................54 Table 7: Amazon E-commerce Application Decomposition.........................................................55 Table 8: Amazon Entry Point.......................................................................................................56 Table 9: Amazon Security Asset...................................................................................................58 Table 10: Amazon Security Trust level........................................................................................59 Table 11: High Ranking Threats...................................................................................................60 Table 12: Threat and Countermeasures.........................................................................................61
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Chapter One: Introduction 1.1 Background Study To ensure that e-commerce information assets is not compromised, software security vulnerabilitiesisthemostimportantlineofdefense.Therecentincreaseinthe complexity and volume of cyber security attacks gives convincing reasons for enhancing the security of e-commerce software applications that monitors and regulate online shopping information. This most recent global attack on e-commerce business was the ransom ware attack. Most firms were affected. The nature at which the ransom ware cyber attacked spread from nation to nation, and from one firm to another was very worrisome. E-commerce is a very important and lucrative sector in any economy which has strived positively since its introduction to the internet. This continues threat and attack poses a security issues surrounding web applications today, and is a serious concern to the e-commerce business. Software security tools and model are proactive approach designed to combat computer security threat that emerged about fifteen years ago. It addresses a vital need for software applications to be designed and developed with security in mind. Threat modeling techniques and analytical tools are among the practices utilized in the computer industry to reduce the volume and severity of exploitable vulnerabilities to e-commerce software applications. But most of these threat models are usually implement after the designed and development of an e-commerce application which is not the best practice. There is a trending knowledge that in other to produce dependable and secure applications, app developers need to incorporate security into software development lifecycle 'SDLC'(Lee
and Park, 2016). Embedding security into the design of different ‘SDLC’ allows security analyst and developers to think proactively about the countermeasures to discover available threat and avert future attack. Threat modeling is vital in developing security system for all the SDLC stages as well as in each specific stage. The aim of this project is on the use of threat modeling tools and approach to identify and analyze security management in e-commerce applications. 1.2 Problem Statement Most of the threat modeling tools used in developing E-business security systems today is usually implement after the designed and development of an e-commerce application. This is not the best practice because this approach increases the volume and severity of exploitable vulnerabilities in the computer and Ecommerceindustry. 1.3 Project Aims and Objectives Project aims:The primary aim of the study is to investigate the tools that are required for the threat modelling for utilizing while securing the e-commerce applications online. These outlined aim would successfully help in investigating threat modelling tools and technique used in securing e-commerce applications online. The Statue Quo of this study is to investigate the current security challenges in e-commerce applications, by studying past research work and recommending better approach. Project Objectives:The objective of this project is focus on the specified requirements to which E-commerce application should meet security standard. They are outlined below:
Appraisal of the underlying principles in online shopping using credit card and PayPal Overview of E-commerce security. Review the different security issues in E-commerce organization. Review the available security tools and security modelling approaches in E- commerce Developing a standard security model for software development methodologies in E-commerce organization. Comparing the degree of successful developed security modelling approach for E- commerce applications. 1.4Scope of Study This study focuses on the past and current challenges, threats securing e-commerce applications online. Undergoing with this study the researcher aims at using past research work, current research materials, and interactive social media platforms in getting the most recent and up to date security models being used to curb or reduce security threats online. 1.5Background of the study In the current global economy, application security plays a pivotal role in network security. Consistently software hackers are using advance technologies and techniques to access important data and carry out other significant activities to E-commerce network application (Ott, 2008). In the electronic technologies sectors, Privacy and security are majorfactor.TheE-commercesectoralsosharestheseviewsinlinewithother technological fields. While some firms are faced with difficulties in making their website
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
security sophisticated in order to provide customers with effective secure payment online, other firms like Palpay, WePay and ProPay have provided their customers with the security of assessing any website with an assurance that their information is safe. Notwithstanding, big firms are investing heavily, in addressing E-commerce security challenges using different tools and techniques. In analysing the security level of an application, system and software, an approach is the threat modelling and security tools (Li et al., 2012). It is a structured approach that enables one identify, measure and address the security hazard associated with applications and software (Amini et 2017). This project notwithstanding, will limit its scope to e-commerce applications such as E-bay, Amazon and Konga. There are basically three different types of threat modelling approaches available today, they include fault tree Analysis, Attack trees, Stride and Dread (Wagner et al 2009). These approaches and techniques to application security have proven to be ineffective, this is evidence in their vulnerabilities, permitting applications to be attacked or damaged. A challenging task is determining with approach will give the best result when applied to specific software application or e-commerce applications. Therefore, determine how to effectively solve this security challenge using the most effective tool is crux of this project. An overview of the problem statement is why security in e-commerce application is needed, and the best approach to apply. This research survey evaluated the existing threat modelling techniques and tools from the literature review. The report discussed various methodologies to this research and give reason to why the agile methodology was adopted in developing a new threat modelling technique framework.This new threat
modelling technique framework was proposed with a functional website discussing how it should be use. The report also document the appropriate ethical conservation observed followinganinterviewconductedtoobservehowE-bay,AmazonandKongae- commerce mobile application users are concern with the security on this platform. Its findings are discussed in the later chapter, where recommendations will be made. Chapter 2: Overview of Security Issues in E-commerce There has been a significant increase in the level of business transactions perfumed electronically since the emergence of the Internet and the World Wide Web. For every transaction that occurs on the web and the internet, security is of utmost important. The e- commerce security threat is a major aspect of the trending security obstacles facing E- business activities today. It covers all areas of the e-business including social networking, marketing and other realm of Information security (Kelly and Rowland, 2000). E- commerce security is one of the major security issues affecting most end user today; through interactions with online businesses, which could be payment for service rendered and other financial transactions. Traditionally, authentication mechanism in e-commerce is based on providing personal securityidentificationandaccesscontrolmethods(HanumeshandSunder,2000). Thoughtherehasbeenimprovementusingmoderndayadvanceencryptionand complimentauthenticationmechanism,whichemployauthenticationalgorithmto optimise security power in e-commerce. The advent of e-commerce has exposed the banking industry to great opportunity, even though it created a new set of risks and increase vulnerability and security threats. Information security should be seen as an essential and integral part of management and technical requirement for any efficient and
effective transactions and financial activities over the internet. Online e-commerce applications that uses payments methods such as electronic transactions, debit cards, credit cards, PayPal or other tokens stands a greater risk of been hacked, either network servers, data loss or alteration of e-commerce applications (Lin, 2017). 2.1 Definition of terms Online customer’s awareness about possible identity theft, financial fraud and other irregularities when performing financial transaction on the web, has increase due to warmingfrommediahousesonsecurityandprivacybreaches.Thishasplaced limitations on e-commerce businesses, in terms of growth and profit maximisation. A lot of end users and customers are having declined to perform online exchanges due to lack of trust and fear of losing their personal information to criminals(Bruton, 1999). End users are no longer having confidence in e-business due to: - Fraud:This is an act that can results in direct financial loss by, from a customer’s account to a criminal’s accounts without any financial records update. Electronic thief:It refers to an intruder that can disclose confidential or protected, information to a third party, with sole aim of having financial gain. E-commerce system is liable to irregularities which could result in interception of customers online shopping activities, thereby resulting to distress. Security confidentiality:giving customers the confidence that the data sent to e- commerce firms are has integrity and confidentiality and not for public view. E-commerce integrity:assuring customers thatinformation provided and data is real, accurate and safeguarded from unauthorized user modification, which is not usually the
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
case.Insecure Firewall filters in e-commerce network and internet create loop holes in files and information thereby allowing it into wrong hands. Phishing:attack on e-commerce network and system by cyber criminals resulting in vulnerable attacks on software and machines enabling cyber theft. Malicious Code sent to attack e-commerce systems in form of worms by Trojans horse and bots which, can replicated and spread from one file to another or from one system to another. When it comes to buying and selling of goods and services online, e-commerce is still in the forefront, shopping and making transactions with just a click using desktop and mobile apps are effectively utilised. Because numerous web based mobile applications are being created to satisfy client shopping desires, there is a need to address the e- business security issues, by effectively using an appropriate tools and threat technique. These tools and other existing ones will be evaluated in this report. Also, the possibility of this threat modelling tools and approaches being imbedded into software development processes in tackling security before e-commerce applications are developed. Chapter3: Literature review 3.1 Literature Review 3.1.1 The Underlying Principles in Online Shopping using Credit Card and PayPal The current innovation of online card payments and PayPal payment occur with online generated virtual personal account numbers. The account numbers are usually invisible to individuals using the internet to make online purchases. All online shopping cards have an internally writeable magnetic data stripe which enables, then to be used at a point-of- sale tale, automated readable machines and E-business website. This is because the
internally writeable magnetic data strips are readable with special payment readable software's (Hayashi, 2012). Automated online card payment system appears to be on most shopping website, to permits faster, easier and verifiable transactions using the magnetic stripes on the back of the cards which is link to a card number (Long and Vy, 2016). A card reader is used to verify the card details in real-time to track fraudulent cards speedily and accurately (Long and Vy, 2016). However online fraudsters are constantly looking for modern technique to defeat online card reading machines (Virtue, 2013). An online card could be MasterCard, Visa, Vector One and Other typical payment cards, usually unique to identify an account holder (Virtue, 2013). A standard card contains a customised personal account number usually a system number, bank number, user account number or a cheque digit. The personal account number is associated an expiration date and year issued my bank, in some cases the account holder's name or business appears on the card as well as the bank unique sort code. On the other side of the card is a 3-digit number (CVC), known as the card confirmation code. The CVC is not embedded on the card, therefore different online system cannot print or store the number, thus can only be approved by the card holder. There two main sorts of transactions while a using Credit card, the online associate with web transaction and offline associated with POS transactions (Dara and Gundemoni, 2017). For online transactions of any sort to be complete a card holder obtains a virtual account online that can be used only once. The virtual online number is generated for a user device intending to access an E-commerce website for transaction. PayPal is a company in which its main service is to generate an online virtual account instead of
using credit card which cannot be easily hacked by fraudsters (Savage, 2001). Although PayPal claim to have successfully addressed the security limitations of online credit cards. The online virtual account number generated can reprogram some of the magnetic bits encoded in the magnetic strip on the debt or credit to reset and update the last virtual account number used online for shopping on a website. The online internet virtual account number generated produces a sequence of virtual numbers that can be predicted and approved by the bank that issued the credit card. Once a virtual account number is used it is discarded and put on the bank exclusion account number list. While using the card, there is request by e-commerce website to produce the expiration date and the authorization number CVC on every credit card before any payment is successfully completed.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Figure1:E-commerce Shopping Cycle 3.1.2 E-commerce Security Tools Threat modelling tools allows users to systematically identify and rate the dangers that are most likely to influence or affect a system’s functionality. These tools disguises’and rate threats, based on a solid understanding of the architecture design and implementation of the software application tested (Weston, 2016). Security threats can be addressed with proper countermeasures in a logical order, beginning with the threats that possess the greatest risk. Threat modelling has a structured approach that is far more cost efficient and viable than applying security features in a haphazard manner without knowing precisely what each threat feature is supposed to address: (Jamil et al, 2015). This review focuses on the current e-commerce tools and modelling approach used in tacklingsecurityissues.TheMicrosoftthreatanalysis&modelling(TAM)tool developed by their application consulting and engineering (ACE) team is an example for the pragmatic technique employment for software acentric modelling approach. In contrast, software-centric approaches are more suited for systems with an unknown deployment pattern and designed to ensure the security of the software application's underlying code in the context of rich server and client development. The security development lifecycle (SDL) threat modelling tool, also by Microsoft, is an example of the usage of a software-centric focus modelling approach. The attacker-centric focus takes the adversary’s view to identify risks to the system. This requires the developer to think like an attacker, to comprehend their inspiration and capabilities, which is likely to pose a challenge to inexperienced users. Attack trees can also be called a threat tool used to impart this information other examples include:
Firewalls – Software and Hardware. Public key infrastructure. Encryption software. Digital certificates. Digital signatures. Biometrics – retinal scan, fingerprints, voice etc. Passwords. Locks and bars – network operations centre (Cobb, 2011). 3.1.3 Firewalls The firewall is a software tools that allows or deny both incoming and outgoing communications through a computer's ports or local network (Anicas 2015). Firewalls filter traffic based on variety of factors and rules, which includes rules, IP address, local connection and online connections. Firewall act as a bouncer, sending away traffic that doesn’t fit a system or network connectivity. Firewall can also be used to blocks websites pop and restrict unwanted online ads an application or website user doesn’t wish to access. They can also filter sites known to be sources of malware from deterring users from accidentally downloading a virus. Firewall depends on the network concerned, namely multiple firewalls, multiple internal networks, VPNs, Extranets and perimeter networks. There could also be a variety of connection types, for example TCP and UDP, audio or video streaming, and downloading of applets. Different firewall configuration is applied to different system and application connections. Several firewall products also exist in the market from different vendors.
3.1.4 Types of Firewalls Packet Filtering:This is a basic firewall, with simple functionalities and operations to block connections to and from specific hosts, network and ports (Eastep, 2017). Packet filtering essentially examines a connection packet, and determines whether it has the confirmation set rules that will permit it to go through the packet channel of the packet header, IP address, port and grant. Due to its simplicity nature of operations, they have the advantages of both speed and efficiency. An additional advantage is that they do their job quite independently of the user's knowledge or internal and external gateway systems inside Filter Demilitarized Zone (DMZ) Filter Outside 3 assistances, i.e., they have good transparency (Meyer, 2006a). They are cheap because they use software already resident in the router, and provide a good level of security since they are placed strategically at the choke point (Meyer, 2006b). Circuit Filtering:Circuit Proxy is mainly different from the packet filtering firewall as circuit proxy addresses all communicators' channels and must address their packets individually. Assuming access has been granted, the circuit proxy replaces the original address with its own address of the intended destination. It has the drawback of laying claim to the processing resources needed to modify the header, and the benefit of masking the IP address of the target system (Zalenski , 2002). However, there is a potential of hurting data to break through to its channel to the internal customer system with the ideal that the package has being analysed properly. Application Proxy Firewalls:These firewalls are a more complicated process than circuitandpacketfilteringfirewalls.Theapplicationproxyunderstandsonline applications protocol and data, as well as intercepting any information intended to harm
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
anonlineapplication(SavolaandAbie,2009).Thesefirewallsarehelpfulin counteracting assaults on procedures such HTTP and SMTP, guarding against SQL infusion and DDoS assaults at the beginning of an attack. They can authenticate users and judge whether any of the data could pose a threat. Application proxies are referred to as proxy services, and the host machines running them as application gateways (Корнієнко, 2006). Stateful Multilayer Inspection:This firewall is a combination of packet filtering, circuit proxy and application layer firewalls discussed above. Although, it is a complex and effective firewall that is more reliable than just the basic firewall. This firewall is self- protecting as there are no administrators needed to regulate it frequently as it is self- regulating and is proficient in protecting online packages (Chopra, 2016). 3.1.5 Public Key infrastructure Complex business systems like e-commerce and automated business transactions require robust and rigorous security measures. Public Key infrastructure supports the open key contained in SSL declarations that permits distribution and identification of public encryption key and secure network or data (Morgan, 2004a). Utilizing public key infrastructureisasimilarwaytosecuringE-businessesandgenerallycertificate authorisation. Web assets such as programs, servers, customer emails and different types of hardware equipment and software programming can be incorporated into public key infrastructure to boost online security (Morgan, 2004b). Systems that often require public key infrastructure based security mechanisms include email, various chip cards within e- commerce (e.g. debit and credit cards) and electronic postal systems. The Public Key Infrastructure environment is made up of five components:
1.Certification Authority (CA)- serves as the root of trust that authenticates the identity of individuals, computers and other entities in the network. 2.Registration Authority (RA)- is certified by a root CA to issue certificates for uses permitted by the CA. In a Microsoft PKI environment, the RA is normally called a subordinate CA. 3.Certificate Database- saves certificate requests issued and revoked certificates from the RA or CA. 4.Certificate Store- saves issued certificates and pending or rejected certificate requests from the local computer. 5.Key Archival Server- saves encrypted private keys in a certificate database for disaster recovery purposes in case the Certificate Database is lost (Gritzalis, 2005). 3.1.6 Encryption software Tools Data encryption software tools are systems with the ability to encrypt data both for transmission over a non-secure network and stored for future use(Kumar, 2017a). Encryption doesn’t it self prevents interference of data, but denies the intelligence content of the data to be revealed or intercepted by an unwanted individual or user. Encryption is extremely important in e-commerce as it allows confidential information’s such as credit card details to be used safely while shopping online (Kumar, 2017b). Encryption works by scrambling the original message with a very large bit of code making it unreadable for anybody else attempting to access it. After the data is encrypted, the sender and receiver are the only users with the ability to decrypt the scrambled info back to a readable
condition. This is achieved through ‘A key', the key grants the users abilities to access or modify the data to make it unreadable and readable. Figure2:Encryption and Decryption Diagrammatic representation. Encryption is widely used as a security protection tool, to secure online applications and protect data. E-commerce app company mainly use this tool in their secure socket layer (SSL) or Transport Layer Security (TLS) protocol, to indicate to their application users thattheirapp issafeand transparent(Smith,2016).In otheronlineapplications
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
encryption are also used to enter a password to encrypt or decrypt the protected data if a cryptographic key is used as the password. The SSL protocol and TLS are the primary end-to-end security encryption protocols used to protect information traversing the Internet. The most common scenario of using this protocol is when used as web browser acting as a client for human users interacting with a web server. Thus, using SSL and TLS as an encryption between a web browser and a web server can be used important data from unauthorized parties or users. Finally, encryption tool can be used to secure a hard drive, USB and end to end users over a local computer networks. This is possible as unauthorised users cannot reproduce the plaintext used to encrypt the drivers and servers without the cryptographic key. This is another major way of ensuring e-commerce security. 3.1.7 Digital Certificates and Signatures Security Tool Digital signature tool facilities the safe exchange of electronic documents and files by providing a way to test the authenticity and the integrity of the information exchange online or digitally (Mason, 2014a). It is otherwise an encrypted digital hash message used to verify if the message was tampered with by hashing the received message and comparing the message value with a decryption signature. A digital signature is created by a series of mathematical processes that transform data into a uniquely coded 'message digest'(Mason, 2014b). The message digested is an attached encrypted file to a message being interchanged from a digital signature for security between the message sender and message recipient.
On the other hand, a digital certificate is a special kind of machine- readable document issued by a trusted certificate authority to an individual or organisation which is unique to them. The digital certificate is kept secret and its access is usually protected with a password. There is also a public part to a digital certification which only individuals with the digital certification password have access to encrypt or decrypt a message. Digital certificate must be issued by a trusted authority and are only valid for a specific duration of time. A digital certificate is always required to successfully create an authorised digital signature (Chen, 2002). Figure3:Digital signature Process The digital signature tool can be applied to electronic documents and online transactions for security purposes. The tool is used because its security verification can be automated and digital signature altercation can be detected by the e-commerce company using its
services. While a digital certificate is used to bind public keys to a person or a group of people to ensure a digital signature is not easily forged by unauthorized users. Employing digital signatures and certification tools to a company's system grants a secure control. This is capable of enforce policies that requires effective separation of duties among colleagues of e-commerce company, higher authenticities and senior administrative from their superiors. The digital certificate is used on transaction website based on HTTPS belonging to e-commerce firm and government agencies to increase trustworthiness of its users. 3.1.8 Biometrics Security Tool Biometric security tool is a method of verifying a software or system identity based on the individual unique physical features or an action (Indi and Raut 2012). This biometric measurement could be applied to a document as an evidence of an individual’s personal signature.Biometricauthenticationisbasedonthespecificphysicalfeaturesand behaviour characteristic of individuals. These attributes are mainly from an individual's facial recognition, finger print, hand geometry, iris, keystroke, signature, and voice recognition. Biometrics securities are inherently more reliable than password based authentication as individual traits cannot be lost or stolen by unwanted persons. In addition, biometric traits are difficult to copy, share and distribute by hackers as they require the person being authenticated to be present at the time and point authentication before a security breach can occur. Biometric systems are becoming used increasingly in relation to recognizing individuals; regulate access to physical spaces, information, services and to other rights and benefits,
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
including the ability of individuals to cross international borders (Moore, 2007). They also help to improve the convenience and efficient of routine access transactions, reducing online fraud and enhancing public safety and national security 3.1.9 Passwords Security Tool Password tools are the unique keys to IT software, an abuse or misuse of any IT password or key will result in credential data leakage and breach of privacy(Riley and Chaparro, 2006a). To improve control over password and prevent secured data breaches from occurring, organisations must store them securely, change them regularly and monitor their usage. Passwords are commonly used in conjunction with a username. However, on most secure e-commerce websites they may also be used alongside other methods of identification such as a separate pin, memorable information and touch ID. In some other major website, online users are also tended be ask customers to enter only certain characters of your password, for additional security. To verify that a user entered the right user ID, that individual is requested to provide an identification or password. This password and username must only be known to that individualusingthesystemorapplication.Mostnetworkdeveloperssuggestthat systems’ end users should change their passwords on a periodic basis to enhance their personal security. The term password is typically a word or group of sentences between four and thirty-two characters, depending on how the computer system is set up(Riley and Chaparro, 2006b). When a password is entered, the computer system is careful not to display the characters
on the display screen, in most cases; otherwise other individuals might see it. App developers suggests system passwords need to be very difficult in other not to get cracked through by using guessing, brute force cracking, dictionary attacks or other common methods. Password hardening is one of the major measures taken to make it more difficult for an intruder to circumvent the authentication process of any e-commerce system or applications. 3.1.10 Major Threat Modelling Approaches The concept of threat modelling is not a new term but a clear definition has changed in recent years toward internet security dimension. Threat modelling is an approach for analysing the security of an online application or system (Semple, 2015). It is a structured approach that enables software engineers to identify, quantify, analysis and address the security risks associated with an application or software. Threat modelling isn’t an approach to reviewing code, but it rather complements the security code reviewing process of an application. Threat modelling can be view into two different contexts especially when it relates to e-commerce(Pye and Warren, 2007). They are the security approachthatusesarchitectureimplementationorstructureoftheapplication functionalities to help map out its security requirements. On the other hand, are the possible attackable components or assets of the e-commerce application. The various availablethreatmodellingtechniquehastheirmajorgoalofimplementing countermeasures against different applications, however will be majorly concern with the threat modelling approach related to e-commerce applications in this review. According to Potter (2009) the different threat modelling approaches are grouped into;
1.Soft-Centric -These approaches involve designing threat systems that can be illustrated using software architecture diagram such as data-flow diagram (DFD), usecasediagramorcomponentdiagrams.Examplesofsoft-centricare Microsoft'sSecurityDevelopmentLifecycleFrameandMicrosoftThreat Analysis and modelling Tools. 2.Asset-Centric-Theseapproachesinvolveidentifyingtheassetsofan organisation entrusted to system or software that is sensitive and are of high potential attack by cyber- criminals. Examples are Attack tree, Attack graph, Trike and Amenaza's Securitree. 3.Attacker-Centric-These threats modelling approaches involves modelling a specificattackrequirementprofileforanattackerbasedonitsknown characteristics, skill-set and motivation to exploit vulnerability to an online system or software. The threat approach is then built on the understood attacker’s profile, which is most likely to execute a specific type of exploitation and mitigation using its known strategy accordingly. However, there is no specific example,majorityofattacker-centricapproachesdonemymajorsecurity company’s such as Threat Modeller and MyAppSecurity’s using the principle of Attack tree technique. It is has being noticed that different firms attack security from different perspective and style; however, the attack centric and the asset centric are the mainly used once. Technique 1STRIDE: Is a modelling approach used to meet the security properties of Confidentiality, Integrity, and Availability (CIA), along with Authorization. Microsoft uses its STRIDE methodology which is mainly used by Microsoft for authentication and
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
confidentiality. STRIDE is an acronym that defines a threat classification system that stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (Menkus, 1997). It is architectural model based on Data Flow Diagrams (DFD). DFDs are used to graphically represent the application and use a standardsetofsymbolscomprisingoffourcomponents:dataflows,datastores, processes, and interactions with trust boundaries to incorporate threat modelling. Each element of the diagram generates a set of STRIDE threats. This systematic process helps to identify and rank potential risks that may influence design level and architectural artefacts in a software system. Figure4:Stride Threat Modelling Approach Technique 2:Process for Attack Simulation & Threat Analysis (PASTA):is a seven- step process that is applicable to most applications development methodologies and its application is agnostic (Han et al 2009). PASTA portrays a set of process events, or
stages, through the recommendation of set process inputs and the normal process outputs. These outcomes create the execution of activities of each stage. Each of the seven stages has specific objectives and expected deliverables (Sangita and Madhuri, 2015). PASTA methodology maps well into most requirements definition phase of a given SDLC process by listing any administrations related issues, alongside potential risk and business impact considerations. The seven key activities in PASTA are as follows: Define Business Objectives Define Tech Scope App Decomposition Threat Analysis Vulnerability Detection Attack Enumeration Risk and Impact Analysis (Mehta, 2016). Technique 3:Attack Trees provide a formal, systematic method of describing the security of systems, based on varying attacks. Essentially the tree structure is to represent attacks against a system, with its objective as the root node and different ways of achieving that goal as leaf nodes (Schneier, 2000). The nodes become sub goals with the way to achieving that sub goal being children of each node. OR nodes are used to represent alternatives and AND nodes are used to represent different steps toward achieving the same goal. Once the tree is assembled, one can assign values to the various leaf nodes, and then make calculations about the nodes. The security of the goal can also be calculated once the values are assigned. The attack attributes help in relating risk with an attack. An Attack Tree can include special knowledge or equipment that is needed, the
time required to complete a step, and the physical and legal risks assumed by the attacker (DSouza, 2016). The Attack Tree’s values could be operational or development expenses. It supports design and requirement decisions. Suppose an attack costs the perpetrator more than the benefit, that attack will most likely not occur. However, if there are simple attacks that may result in benefit, then those need a protection. Figure5:Diagram showing an AttackTree on Credit Card System 3.1.11 Benefit of Effective E-commerce Security Change as it is commonly said is the only constant commodity to mankind. It is a trend that would never become obsolete. Humanity over the years has witnessed diverse tremendous, significant and notable technological advancement. Arguably, one of the greatest inventions of all times was the advent of the internet. That alone catapulted information technology to a whole new dimension. Information in
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
diverse formscannowbedispersed and gottenatthe speed of light.Theright information is needed by every organisation to thrive at its maximum capacity. Ever since the year 2000, e-commerce has revolutionized the dynamics of both the international and local market place (McGrath, 2017). It is near impossible for the 21stcentury trade to have elevated to its present altitude without e-commerce. However, a new level of advancement comes with its own challenges. As with other routes of trade, the necessity of security which is a major public concern in e-commerce cannot be over emphasized. Security is perhaps the most significant aspect when developing any ecommerce website. Having the physical security measures, such as Secure Server Connection (SSL Certificate) is essential but it also needs to be made very clear to potential buyers that all the information that they submit is secured by the best security measures available, with clear display of all security badges and to attack online customers. Firstly, a secure system would build the confidence of potential investors and buyers in the online store. Customers need to be assured that all their details, both personal and financial are all kept safe for e-commerce growth (Herrmann and Herrmann, 2004). An insecure buyer would always shy away from a great deal online, for fear of a scam and hacking of personal details. Secondly, online security is needed to avoid unnecessary cash loss. Business is all about providing goods and services to make the maximum profits available, so if we constantly run into losses due to hackers breaking into our websites and law suits from clients, then the main aim of running that platform is defeated.
Thirdly, e-commerce has transformed the banking sector as well. The banking system, building society or finance house cannot function without adequate security measures on ground by e-commerce business (Samant, 2008). A secure and satisfied client would also refer more clients to you, thereby increasing customer base. People tend to work with organizations who they believe have a good track record for security. Chapter4: Methodology 4.1 System Methodology A Software development methodology is a framework that is used to structure, plan, and control the process of developing an information system. (IT Knowledge Portal, 2015). System methodology is used in this work in order to improve upon existing working software or framework as it develops, enabling for regular inspection of the product. Research methodology provides the right analysis and product for a system to be done accurately by allowing for constant communication between a researcher, designer, tester and users. Furthermore, research methodology enables a clear visibility of a project by helping to ensure that any necessary decisions can be made at the earliest possible opportunity. This outcome is normally done to avoid unforeseen circumstances while there is still time to avoid any risk outcome. Also, research methodology is an efficient way of effectively managing time for a project. In this work, four research methodologies were selected to be applied in the analysis processofThreatModellingToolsandTechniqueusedinsecuringe-commerce applications online. They include: Prototype Methods
Dynamic Systems Development Model (DSDM) Spring Agile Scrum Development 4.1.1 Prototype Method Evolutionary prototype is the process of continuous development by creating multiple prototypes based on the feedback received from the past prototype and requirements gathered from a client (Shah, 2001). This software methodology encourages requirements churning, by delivering the system in small parts to the users for better understanding. Any new changes can be recognized and integrated into the next prototype, alongside the newly found research developments. Essentially, the prototype starts out very small and grows in size and structure as different sections are added (Carey & Mason, 1983). This methodology is normally used alongside the agile methodology because of its mix range in planning and documentation of a project. It is swift to react to changes in client requirements, as well as dealing with any problems which may arise as the projects increases. 4.1.2 Dynamic Systems Development Model (DSDM) The Dynamic Systems Development Method (DSDM) is an agile project delivery framework principally used as a software development method. It is a methodology which encapsulates a significant part of the current project knowledge and how to manage the knowledge in developing a new artefact.This method was established by software improvement group, however programming advancement, led to designing and
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
subsequently producing an engineering and business project development methodology. The methodology has generally changed the way large framework and complex problem project tasks can be easily solved. I considered this approach for this research because of its ability to produce flexible prototype result that is direct and immediate and as well visible. More so, it eliminates bureaucracy and breaking down communication barriers between the project researcher and different parties involved in the project. However, this methodology was not used for this project because of its difficulties in understanding and successful implementations. The strictness towards adhering to its principle, made this methodology difficult to control when applied to the development of the new security thread modelling framework. 4.1.3 Spring Model The spring model was proposed by Boehm in 1986, it was aimed to minimize the risk within the software development process by early detection of potential problem areas (Nilsson, 2012). The spring model utilizes an iterative design which incorporates five stages;objectivessettings,riskassessment,development,validationandconstant planning.
Figure6: Diagrammatic representation of Spring Model methodology The spring model is effectively an evolution of the Waterfall model, which allows a research project to take place in a continuous manner of spiral flow (Gibson, 1998). If this methodology is applied to threat modelling tools and technique in securing e- commerce applications online and analysis is carried out. There will be an improvement to the existing security tools and approaches, when an evaluation tests is don on the project. The spring model is too flexible in terms of requirement gathering than the scrum model (Stoica et al, 2013), thus, the spring model is considered too simple for this project. 4.1.4 Agile Scrum methodology In web application development, agile system methodology is widely accepted and satisfactory. This is due to its agility nature and provision for evolving prerequisites
instead of waterfall methodology (Pressman, 2009). This method emphasizes on client collaboration and satisfaction, defect rate reduction and most importantly their short iterative nature within a time frame. Agile is a preferred method for most design as it aims to shorten this timescale and add value to the project with each iteration there are several agile methodologies; however, this report will focus on SCRUM methodology. Background informationon Scrum methodologywill be provided to give a clear understanding of this choice of methodology. An evaluation is done to provide clear view as to why it was selected. Fig 7.1 shows how the SCRUM process works. Design that constantly changes requires the SCRUM methodology. This method helps in breaking down large design into smaller tasks, which are called ‘sprints’ it requires communication and teamwork between team members from different levels as well as user. The major people involved in the project are the ‘ScrumMaster’ who is the project researcher and the project supervisor whom offers support to the framework development. SCRUM will derive a quicker requirement achievement as the time frame for implementing this project is reduced, because it has an effective iterations management.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Figure7: Diagrammatic Representation of Scrum Iteration In addressing question about ethical consideration which is based on accumulation of values and principles that address questions, one of the clearest definitions is simply the conflict of interest between researchers and people being researched (Dickens and Cook, 2005). It ensures that the researcher must take measure that every single form of ethical code is followed to the letter to avoid any unforeseen risk to the research project. To further eliminate risk, the researcher had to obtain written consent from the research participant. An overview the consent piece of data collected using the British Educational Research Association (BERA) process for ensuring the subject understands what he/she is doing and why it is necessary to the research. 4.1.5 Ethical consideration conducted the following process: Negotiating access to information in the e-commerce sector Informing individuals and companies of their personal consent before using it for this project. Abiding to the United Kingdom Data Protection Act 1998. Give rights to respondents of the project to withdraw at any time without or with justification. Privacy and disclosure i.e. the procedures regarding confidentiality will be clearly explained to e- commerce firms (e.g. use of names, pseudonyms, anonymization of data, etc.). The use of the data in research project, publications, sharing and archiving will be explained to staffs of the e-commerce firms.
The agreement date and signature will be kept for referral purpose. Company information will be stored securely and information will not be shared with 3rdparties. Written permission will be obtained from participants before commencement of data collection. (British Educational Research Association2001) 4.2 Data Collection The interview was conducted with users of the case studied e-commerce firms. In the process of conducting this interview, I contacted various people; they include selected IT staff, users and suppliers. They were all treated fairly, regardless of age, gender, ethnicity, religion and with freedom.Questions were asked in a manner that the respondent were free to express themselves. Each of the users of the application understood and agreed to undertake the interview without any duress. The users also understood the process in which they will be engaged in and why they are participating in the process. The entire participant was briefed on how and who to report to if not clear about any procedure. The Interview was then carried out after written approval from respondent. A reasonable understanding was given to the respondent that this researcher will not access to data or information givens unless it was agreed to preserve the confidentiality of thedataandagreetothetermsspecifiedbythefirmsandusers.Theselected organizations will have the right to know how, where and why their data is being stored. The transcription of the collected data was discussed in the interview analysis section.
The main participants of this interview were mainly teen aged residents. The age range of participants was from 20 to 30 this is because they are the active users of the selected e- commerce organisations. I selected this age grade randomly, because according to selection on the e-commerce application website, teens are their active users. 4.3 Evidence of the interview Conducted Online (Template) Interview Questions Template Ethic Understanding Understandandconfirmyour choicebyunderliningtheappropriate I have read and understood the information about the project, as provided in the Information Sheet dated28/01/2017.Yes /No I have been given the opportunity to ask questions about the project and my participation.Yes/No I understand I can withdraw at any time from the interview without giving reasons and that I will not be penalised for withdrawing nor will I be questioned on why I have withdrawn.Yes/ No The procedures regarding confidentiality have been clearly explained (e.g. use of names, pseudonyms, anonymization of data, etc.) to me.Yes/No I would like my name used and understand what I have said or written as part of this study will be usedn reports, publications and other research outputs so that anything I have contributed to this project can be recognised.Yes/ No Name:
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Signature: Questions Do you do use online shopping website. Yes/ No Do you use your Credit Card orPayPal? Yes/No Doyou Considersecurity of yourpersonal data whiling using the E- commerceapplication? Yes/No Who should beresponsiblefor your personaldatasecurity, (Me / E-business Company)? Yes/No Do you shop with; - i.eBayYes/No ii.AmazonYes/No iii.KongaYes/No Do u have any security Concern while using this website? i.EBayYes/No ii.AmazonYes/No iii.KongaYes/No If (yes) please explain Any further Suggestion on E-commerce issues: Date
Signature 4.4 Interview Summary At the end of the interview, 80% of the participant accepted they had done online shopping with their credit in an e-commerce website. Majority of the respondent hadn't used PayPal; however, it was clear they engaged other services that were not PayPal, in order to make transaction on an e-commerce website. Among the participant, those that use their credit card ascertain that sometimes it is unsafe to use it on an e-commerce website because of credit theft. However, participants were happy using their credit to shop online because of the convenience it provides, compare to going out to shop from regular shops. Notwithstanding, 95% of the participants would like the e-commerce firms and their bank online credit card issuer to do more in providing adequate protection from cybercriminals while using their online website and applications. Other respondent who uses PayPal claimed they use it to secure their bank card due to bad experience whilst using their online credit bank cards to shop on e-commerce website. Other response was that they refuse to use PayPal because of the companies' transactions chargers associated with using it to shop from e-commerce applications. Whiles some PayPal users claim they could use the service to access some e-commerce website. About 20% of the participant had issues of not getting through to their customer’s services. However, no participant had any major security issues warranting them to make online transactions on e-commerce website. Further-more, 100% of the participant claims the e-commerce company and their bank should be held responsible for the security of their data and information uploaded to their servers. The major security
threat participant observes and experience in the eBay, Amazon and Konga website are documented in detail below. 4.5 Data Analysis from the Interview A. Security Issues Associated with E-Bay App System Most participant felt eBay was not meting up to standard in terms of providing adequate security on their platform, because there are illegal sellers who adversities their products on the app, but fails to deliver the item if after successfully purchased by a customer. They also complained that eBay application security verification, two-step security verification, is compatible with the Nokia and HTC mobile devices. Finally, some eBay customers that participated in the interview claimed their account has been undermined especially when the password is not strong enough to stand hackers, and eBay response to security issue is slow especially when complain is made via email or telephone. Although, some customers commended that it is an easy and convenient way to shop as many participants claim, some even said they make lot of money from bargain eBay application. B. Security Issues Associated with Amazon App System The response from participants that uses Amazon application had very few security concern, they felt it was relative safe compared to other e-commerce applications. Some participant claimed they experience other issues using the application. Some customers complain about the delay in shipping period of delivery items when ordered from the Amazon application.Another respondent claimedthe app also shows a stipulated delivery date, but there is always delay in delivery the item to the specific destination on the delivery date stated. Some respondent thinks this is a major problem with the Amazon
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
application. Other complains include rigid polices towards returning a bought item from theirapplication.Theywanttheprocessofreturningitemsthat'sdidnotmeet specification via their amazon application. Another complained about the application customers service team are very slow in responding to customer complain from the app. Most complain are not linking to security issues. C. Security Issues Associated with Konga App System Among the interview carried out, about 30% of the participants were konga users. This is an e-commerce based in Nigeria and sells item across the African continent. Participant from Konga users had some major issues regarding security of their bank card being stored on the website. They are also concerned that the website doesn’t accept some banks online credit cards and PayPal. Although the, app users are very satisfied with the delivery services. Some users complained that sometimes they deliver substandard or damage product. Participant also complained about the apps customer’s services response time, which is very slow. Other complained include hidden charges that are being withdrawnfromtheiraccountwithouttheirknowledge.Lastlysomeparticipant complained about been unable to add selected items to the application cart and while using their Nokia mobile device.
Chapter 5: Implementation and Results 4.1 Evidence of Developing a New Threat Modelling Technique 4.1.1 Project Result Website Figure8: Screenshot One showing the Website Page of the threat Modell for Securing E-commerce Application
Figure9: Screenshot two showing the Website Page of the threat Modell for Securing E-commerce Application Figure10: Screenshot One showing the Website Page of the threat modelling for Securing E-commerce Application 4.2 Project Result Discussion Goals This threat modelling technique will ensure that all e-commerce applications are being developed with security integration from the very beginning. This threat modelling processwillcombinethedocumentationof theSDLC ine-commerceapplication development to assist in maintaining a better operation and understanding of the system. The system will have allowed the reviewer to see where the entry points to the application are and the associated threats with each entry point. This modern threat modelling tools, analyse an e-commerce application from a potential attacker's perspective, it does not work on the defensive side. The model is primarily applied to an application at the SDLC; level. Notwithstanding, it can be also being
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
applied to already existing applications to analyse major security threats associated with the app. The new threat modelling process can be broken down into 3 high level steps namely; i.Application Decomposition. ii.Determining high ranking threats. iii.Determining possible countermeasures and mitigation. Step 1:Application Decomposition: The first step in this threat modelling process is concerned with gaining an understanding of the application and how it interacts with external entities (app users and servers). This will be illustrated by creating use-case diagram demonstrating and showcasing, how the e-commerce application is used in identifyingentrypointstosee whereapotentialattackercouldinteractwith the application. In addition, application decomposition involves identified asset, which could be items or areas that the attacker will be interested in attacking thus damaging the application. This application decomposition information will be documented in the threat model document to produce data flow diagrams (DFDs) for the e-commerce application. The DFDs will show the different paths through the system and highlighting the privilege boundaries. Step 2:Determining high ranking threats:Another criterion to the identification of threats is using a threat categorization methodology. Threat categorization method such as STRIDE and Application Security Frame (ASF) can be used to define the threat
ranking. The goal of the threat categorization is to help identify threats both from the attacker (STRIDE) or the defensive perspective (ASF). The DFDs produced in step 1 will them help to identify the potential threat targets from the attacker's perspective using data sources, processes, data flows, and interactions with users. These threats can be identified further as the roots for threat trees and there is one tree for each threat goal. From the defensive perspective, ASF can help in categorizing threat by identifying its weaknesses of security controls for threats. Common threat-lists with examples will help in the identification of major e-commerce threats with qualitative risk model based on general risk factors such as likelihood, impact and probability to be constructed. Step 3:Determining possible countermeasures and mitigation:Lack of protection against specific system threat might indicate application vulnerability, risk exposure towards hackers, breakdown of its functionalities and implementation. The most suitable countermeasures towards these threats can be identified using the current existing threat- counter measure mapping lists. The purpose of the counter measurement is to determine if there is protective measure in place to prevent each previously identified threat analysis from being realized. The priority of the available threat is to enhance the application mitigation effort by applying the adequate countermeasures from the countermeasure mapping list. The risk mitigation strategy majorly involves evaluating the identified threats per the business impact they pose and reducing the risk.While other might include taking the risk and removing the risk posed by the threat completely, some may even prefer to do nothing.
The above steps will be documented as they are carried out on the e-commerce application.The resultingdocumentationandanalysisisthethreatmodelfor the application. This method will be used to analyse a newly developed e-commerce app and the existing Amazon mobile shopping application. Each of the steps in the threat modelling process will be described in detail below: Newly Developed E-commerce Application Decomposition Application NameAny e-commerce application Application Version1.0 Application DescriptionE-commerce application that enable users to sell and purchase items from the internet Application DeveloperConor Bill Application UserShoppers with specific need to buy a certain product Application Threat Reviewer Mayor Jeff External Application Decencies The application will be running on any server including Linux server. The server will be hardened as per the number of information it is sent and received per second. This includes the updating the application to any new standard. The system must run on a database server an update to thelatestoperatingsystemandapplicationsecurity patches. The connection of the web server and database server will be over a private network. The web server
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
should be protected behind strong firewalls. Table1: Newly Developed E-commerce Application Decomposition Application Entry Point Entry points define the interfaces or points through which potential attackers can interact with an application to supply it with data. For a potential attacker to attack an application an entry point must exist. Entry points in an application can be layered. For example, each web page in a web application may contain multiple entry points. Entry points will be documented as follows: ID- A unique ID is assigned to the entry point. This will be used to cross reference the entry point with any threats or vulnerabilities that will be identified. Name- A descriptive name is used to identify the entry point and its purpose. Description- A textual description detailing the interaction or processing that occurs at the entry point. Trust Levels- The level of access required at the entry point is documented here. These will be cross referenced with the trusts levels defined later in the document. IDNameDescriptionTrust Level 1HTTPThee-commerceappwillbe accessible on any mobile phone with internet once it has been downloaded appropriately. Anonymous web users. Userswithvalidlogin credential. Users with invalid login credentials. 1.1Official website The main page of the e-commerce application is an entry point for all users. Anonymous web users. Userswithvalidlogin credential. Users with invalid login credentials. 1.2ApplicationAll the e-commerce customers withStaff.
login pagevalidusernameandpasswordmust logontotheapplicationbefore carrying out full transaction Userswithvalidlogin credential. Users with invalid login credentials. 2.0Application loginwith functionality These are entry points where the e- commercesuppliersandstaffcan updatecertaincredentialsonthe application database. However, these credentials must be approved by an authorised administrator before being viewed by the app customer user if necessary. Staffwithvalidlogin credential. Supplier with valid login 2.1Application searchentry page The page on the application use to search for available items on the e- commerce app by its users. Consumerswithvalid login credentials. Staffwithvalidlogin credentials. Supplierswithvalid login credentials. Table2: Application Entry Point Application Assets The application must have something the attacker is interested in getting from the website. These information or areas of interest are referred to as the assets. Assets are the essential threat target, which can be either physical or abstract. Assets of an e-commerce application are the list of client names (customers, suppliers and staff) and personal information stored on the company’s database. The application assets will be documented as followed in the threat model: ID- A unique ID is assigned to identify each asset. This will be used to cross reference the asset with any threats or vulnerabilities that are identified. Name- A descriptive name that clearly identifies the asset. Description- A textual description of what the asset is and why it needs to be protected.
Trust Levels– The trust level is the access requirement level to login to the entry point. This will be documented for an e-commerce company here. These will be cross referenced with the trust levels defined in the next step. IDNameDescriptionTrust Level 1.1Customers userThisinvolvesthee- commercecustomerswho haveregisteredwiththeir personalinformationand bank details as assets to the application Veryhighlevelforonly customerswithlogin credentials. 1.2Customer unique passwordand ID Thesearethee-commerce customers;unique credentialsneededfor signing into the application. Very high trust level unique tojustcustomers’users, databaseadministratoror reader and webserver user. 1.3Stafflogin details Thesearethecredentials need to be stored in the e- commerceappdatabaseto verify a staff user. Very high trust level, unique tothestaffuserdatabase serveradministratoror readerandthewebserver user. 1.4Supplierlogin details Thesearethecredentials need to be stored in the e- commerceappdatabaseto verify a supplier user. Very high trust level, unique tothesupplier’suser database server administrator or reader and the web Server user. 1.5Companylegal andprivate trademark documents. These assets have to do with the legal documents of the e- commercewhichdoesn’t have to be shared publicly. Very high trust level unique tocertainstaffwith authorisation to access these fills. 2System `Assets 2.0Theapp executive code Thisisthee-commerce developmentapplication code, which is not to be open sourceasitisalegal document of the company. Medium trust level, because thisdocumentcanbe outsourcedtoathird-party companytohelpwithits regular testing maintenance, and updating. 2.1The app SQL or mySQL database This is a major asset of the e- commerceapplicationthat stores data, retrieve then and delete when necessary. Medium trust level, because thisdatabasecanbe outsourcedtoathird-party companytohelpwithits regular testing maintenance, and updating. 2.2TheaccesstoThesearenewinformationVeryhightrustlevel,
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
modifyor update data assetofthecustomers, suppliers,andstaffbeing updating on the e-commerce application becausethereishighly confidential information that hasbeengiventothee- commercefirmbecauseof trust.Tobeaccessedby mainlythee-commerce website or administrator and the database administrator. Table3: Application Assets Application Security Trust Level Trust levels represent the access rights the application will grant to the application users. The trust level cut across the different entry points and assets and who can manipulate different data in the application. The trust level will categorise the trust of users in very high, low and medium access rights or privileges required at each entry point or to interact the different assets. Trust levels will be documented in the threat model as follows: ID- A unique number is assigned to each trust level. This is used to cross reference the trust level with the entry points and assets. Name of users- A descriptive name that shows the different internal and external users that should be granted a trust level. Category of users- A description of the trust level granted to some typical users of the application. IDName of usersCategory of users 1Anonymous userLow trust 2Customer with valid login credentialsHigh trust 3Customer with invalid login credentialsMedium trust 4Staff with valid login credentialsHigh trust 5Supplier with invalid logging credentialsLow trust 6Supplier with valid logging credentialsHigh trust 7Database server administrator with valid login credentials High trust
8Web server administrator with valid login.High trust Table4: Application Security Trust Level Application Security Data Flow Diagram All the information collected will be used to accurately model the application with a data flow diagram.The DFD will help security analysis of the application to main better understanding of the application by providing a better understanding of the application by providing a visual representation of how the application processes its data. The DFD will be used to focus on how the data send to the application moves through it and what happens as it moves. The DFD will be made in a hierarchical structure, thus will be decomposed in a subsystem and lower-lever subsystem to allow a clear focus on the specific involvement of the e-commerce application.
Figure11:New Application Security Data Flow Diagram Determining high ranking threats The possible e-commerce threat as determined is then categorised using the stride model, to effectively rank them based on the threat impact, possibility of occurring and ease of exploitation. The stride categorisation is useful to identify the major threat by classifying the attacker goals as followed: Spoofing Tampering Repudiation Information disclosure Denial of service
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Elevation of privilege Type of threat ExampleImpactPossibilityEase of exploitation Security control SpoofingThreat actions aimed to illegally access the app and use another user’s credentials uses as username, password or bank details. HighMedium7Appropriate authentication. More protection for secret data. TamperingThreat actions aimed to malicious change/modify important data on the e- commerce application and can exchange virus between mobile devices. Highhigh8Using hash encryption method. Using digital signature and certificate tools. RepudiationThreat actions aimed to perform illegal operation on the application that lacks the ability to trace the attacker. MediumMedium6By using digital signature. Information disclosure Threat action aimed to read, copy a certain files and private information from the app server that is very important to the e- commerce company. HighHigh7By using enhanced privacy protocol. By using encryption. By using authorization to access secret data. Denial of service Threat aimed to deny access to valid users, LowHigh7By using appropriate authentication.
such as making a web server temporarily unavailable. By using data filtering services. Elevation of privilege Threat aimed to gain privileged access to important information on the app and to compromise the system. Lowhigh6By using high privilege authentication By using password and pin security tools Table5: High Ranking Threats Key Impact = High, Low, Medium Possibility of threat occurring = High, Low, Medium, Ease of exploitation = a score of 1-10 indicating the reproduction of the threat and explosiveness of the how the threat can affect user’s data. Determining possible countermeasures and mitigation The objective of risk management is to reduce the impact that the exploitation of a threat can have to the e-commerce application. This can be done by responding to a threat with a risk mitigation strategy in general. The decision of which strategy is most appropriate depends on the impact an exploitation of a threat can have, the possibility of the threat occurrence and the easy of the exploitation as shown above. Type of threatCountermeasures and mitigation SpoofingCredentials and authentication are protected with encryption in and transit. Strong password policies must be enforced to the e-commerce users. Passwords are stored with salted hashes to prevent illegal access. TamperingAuditing and logging of all administrators’ activities is enabled at all time.
Access to configure files and administrators is enabled always. RepudiationNo sensitive information is stored clearly without encryption. E-commerce users are forced to update their username and as password to keep track of fake users and hackers. Information disclosure By using appropriate authorization to secure the system. Using appropriateprotocoldependingonthelanguagetobeusedin programming app, that must be resist brutal force, replay attack. Denial of service Auditing of logging credentials must be enabling to refuse unwanted users trying to denial users the right to the e-commerce application. Highintegrityauthorizationtoindividualwithloggingisvery important information Elevation of privilege Running a high security privilege administration on users including staff and customers intending to use the e-commerce system. Table6: Countermeasures and Mitigation Amazon E-commerce Application Decomposition Application NameAmazon Application VersionVersion 9.70(3-20879.0) Application DescriptionAmazon application is one of the world largest online retailers with a prominent cloud services provider. With the cloud service give access to the kindle book lending and cloud based photo storage. Theapplicationgivescustomerstheoptiontoquickly search available product, get product details, read reviews and provide review. . Application DeveloperAmazon Eurasia holdings Application UserMobile Shoppers on iOS and Android devices using the application for shopping. Application Threat Reviewer Courage Dike External Application Decencies The application runs on amazon EC2 server. The server is a webservicethatprovidessecure,resizablecompute capacity in the cloud. This server keeps the old and updated Amazon application in an archive. The application runs on amazon relational database server that provides complete control of all the web data and is highly secure. Table7: Amazon E-commerce Application Decomposition
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Amazon Entry Point ID- A unique ID is assigned to the entry point. This will be used to cross reference the entry point with any threats or vulnerabilities that will be identified. Name- A descriptive name is used to identify the entry point and its purpose. Description- A textual description detailing the interaction or processing that occurs at the entry point. Trust Levels- The level of access required at the entry point is documented here. These will be cross referenced with the trusts levels defined later in the document. IDNameDescriptionTrust Level Users 1IOSand Android application store The Amazon app allows customers to access its services on any internet connected mobile phone and tablets onceithasbeendownloaded appropriately. Anonymous web users. Users with valid login credential. Userswithinvalid logincredentialsor guestusershowever mustprovideand email. 1.1Amazon Official website ThemainpageoftheAmazon application is an entry point for all users. Anonymous web users. Users with valid login credential. Userswithinvalid login credentials. 1.2Application login page The Amazon customers with valid username and password must log on to the application before carrying out full transaction Staff. Users with valid email, passwordand username credential. 2.0Amazonlogin functionality These are entry points where the e- commercesuppliersandstaffcan updatecertaincredentialsonthe application database, however these credentials are approved by a user’s correctusernameandpassword beforebeenviewbytheapp customer user if necessary. Staff with valid login credential. Supplierwithvalid login
2.1Application shoppingentry page Thepageofanitemonthe application use to search for available items on the e-commerce app by its users. Consumerswith valid login credentials. Staff with valid login credentials. Supplierswithvalid login credentials. Table8: Amazon Entry Point Amazon Security Asset ID- A unique ID is assigned to identify each asset. This will be used to cross reference the asset with any threats or vulnerabilities that are identified. Name- A descriptive name that clearly identifies the asset. Description- A textual description of what the asset is and why it needs to be protected. Trust Levels– The trust level is the access requirement level to login to the entry point. This will be documented for an e-commerce company here. These will be cross referenced with the trust levels defined in the next step. IDNameDescriptionTrust Level 1.1Amazon Customers information Thisinvolvesamazon customerswhomhave registeredwiththeir personal information such as name,email,addressand bank details as assets to the application. Very high level for only customerswithlogin credentials. 1.1Customerunique password and ID Thesearethee-commerce customers;unique credentialsneededfor signing into the application. Veryhightrustlevel unique to just customers’ users,database administrator or reader and webserver user. 1.2Sellerslogin details Theseareamazonsellers with credentials that need to be stored in the e-commerce app database to verify the seller user. Veryhightrustlevel, uniquetothesupplier’s userdatabaseserver administrator or reader and the web Server user.
1.3Technology officers with valid login credentials These are the technological officers of amazon located at different amazon warehouse and with valid logging to amazon app database Veryhightrustlevel, uniquetodifferent technologicalofficers usingthedatabaseand server to access and read various file. 1.4Web server administrator with valid login These are web server administrators located at amazon server location in various countries with valid logging to amazon app database. Veryhightrustlevel, uniquetodifferentweb serveradministrator updatingtheserverto allow regular transmission of real time information. 1.5Administrative Directors with valid login These are the various amazon administrative directors in different country that runs the day to day activity of the location Veryhightrustlevel, uniquetodifferent administrative directors. 1.6Software maintainer with valid login These are the various amazon software maintainers with valid logging and critical information of amazon need for the amazon app to work effectively. Veryhightrustlevel, uniquetodifferent softwaremaintainer allowedtomaintain variousamazonsoft systems. 1.7Human resource with valid login These are the various amazon human resources with valid logging. They have access to the pass and current employee at amazon this must be kept securely. Veryhightrustlevel, unique to different human resource staff with unique accesstoupdateall employeerecordsand personal information. 1.8Financial operator with valid login These are the various the financial operative with the job of keeping track of customer’s receipt n paying sellers as well as staff. Veryhightrustlevel, unique to different human resource staff with unique accesstoupdateall employeerecordsand personal information. 1.9Companylegal andprivate trademark documents. These assets must do with the legal documents of the e- commercewhichdoesn’t have to be shared publicly. Veryhightrustlevel unique to certain staff with authorisationtoaccess these fills. 2System `Assets 2.0The app executive code Thisistheamazon implementedapplication code,whichisnottobe open source as it is a legal document of the company. Medium trust level.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
2.1Theamazon relational database This is a major asset of the e-commerce application that stores data, retrieve then and delete when necessary. Medium trust level. 2.1Theaccessto modify or update data at These are new information assetofthecustomers, suppliers,andstaffbeing updating on the e-commerce application Veryhightrustlevel, becausethereishighly confidentialinformation stored by amazon. Table9: Amazon Security Asset Amazon Security Trust level ID- A unique number is assigned to each trust level. This is used to cross reference the trust level with the entry points and assets. Name of users- A descriptive name that shows the different internal and external users that should be granted a trust level. Category of users- A description of the trust level granted to some typical users of the application. IDName of usersCategory of users 1A guest userLow trust 2Customer with valid login credentialsHigh trust 3Amazon sellers with invalid logging credentialsLow trust 4Amazon sellers with valid logging credentialsHigh trust 5Technology officers with valid login credentialsHigh trust 6Web server administrator with valid loginHigh trust 7Director administrative with valid loginHigh trust 8Software maintainer with valid loginHigh trust 9Human resource with valid loginHigh trust 10Financial operator with valid loginHigh trust
Table10: Amazon Security Trust level Amazon Security Data Flow Diagram Figure12:Amazon online Application Security Data Flow Diagram Determining high ranking threats Threat TypeExampleImpactPossibilityEase of exploitation AuthenticationBrutal force to attack customer user with vulnerable password. Hijacking of an amazon customer password or username. 810Low AuthorizationForged authorization by an amazon staff. Leaking of confidential information by an amazon staff. 96Medium Configuration Management Reconfiguration by a staff to forge amazon document. Tampering and publicizing amazon 97Medium
confidential information. Data Protection in Storage and Transit Hacking of amazon local server and database. Illegally decrypting of amazon encrypted files to steal documents. 107High Data Validation / Parameter Validation Exchanging of security corrupt files between amazon staff and its app users. Amazon app not coded on the right platform. 85Medium Error Handling and Exception Management Amazon handling error message with care so as to avoid getting into the wrong hand. 55Low User and Session Management Amazon cookies inappropriately. Amazon avoiding to store sensitive information in clear text. 57Medium Auditing and Logging Amazon app auditing not given to trust worthy individuals. Amazon app configured to accept fake users and avoid integrity control. 108Low Table11: High Ranking Threats Key Impact = High, Low, Medium
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Possibility of threat occurring = High, Low, Medium, Ease of exploitation = a score of 1-10 indicating the productivity of the threat and explosiveness of the how the threat can affect user’s data. Threat TypeCountermeasure AuthenticationAmazoncredentialsareprotectedwith encryption.Amazonrecommendsstrong passwordandusernameforallitsusers. Amazon recommends users to reset password very three months. AuthorizationAmazon regards hacking of their data or server as criminal offence that is punishable by law. Configuration ManagementAccess to reconfiguration of files and app restructuringareonlybyamazonexecutive directors. Data Protection in Storage and Transit Access to data and its app storage are only by amazon executive directors. Data Validation / Parameter Validation Amazonareconstantlymakingsecurity decision and updating their applications. Error Handling and Exception Management Amazon preview messages so that no sensitive information is revealed to attackers. User and Session ManagementAmazon sensitive information is not stored in clear language. Amazon app functionality sessions expires and logout at some. Auditing and LoggingAmazon app auditing must be given to trust worthy individuals. Amazon app configured must not accept fake users and use integrity control. Table12: Threat and Countermeasures 4.3 Evaluation of the Result This new developed security model is very different from the current exiting threat modelling approaches because; - It can allow e-commerce companies to consider the security of their application before it is being developed.
It allows e-commerce web developers and designers consider security before developing and design an application. This new security threat model contains a website that helps users download their security challenges in form of a pdf as it is being documented. This is to help security analyst refer to the documentation when needed. This new security threat modelling approaches is structured to help developers document their major challenges effectively and applied the most suitable counter measures. Thisnew security threatingmodellingshowcased howpassword, encryption other security tools can be used to facilitate effective e-commerce security. Based on the feedback got from the interview alongside the aim initially proposed in the proposal project version, these feedback and objective was met. Chapter6: Summary and Conclusion 6.1 Summary The entire study above has been focused to find out the security vulnerability that is found in online services that can cause the most security issues in the e-commerce platforms. The study shows how the security vulnerabilities in the cyber world can be a threat to the e-commerce website, which in turn causes problems to the proprietors of the e-commerce websites, the authority and the customers of the website as an extension. The study was initiated because there have been some reports about security threats and attacks that have been found in the previous times and it has also alarmed the authorities of the e-commerce and digitized business to follow up the vulnerabilities in their websites and run a full analysis of the business to find out any risk factor and eradicate them
completelywiththemosteffectivesolutionsimplemented.Notjustthesecurity vulnerabilities, but there have also been ransomware attacks that have harmed the cyber activities of the customers of these digitized organizations. In addition to that, it has also been found that these ransomware attacks and the way by which they occur are spreading rapidly, causing the potential customers of the business to opt out of considering them as a feasible way of shopping. The attacks have not only spread from one customer to another but have also attacked one business after another. This is why this particular study was developed to find out the particular feedback taken from the companies and running a security analysis on a chosen platform and find a feasible way of providing a solution to the problems through collection of data through primary and secondary sources and developing effective theories from them. For this study especially, the software security tools are also analysed proactively to make sure how they can be utilized to find a solution to the security threats. The study has effectively utilized various forms of security tools in this regards, right from the primitive forms of the utilized security tools for the approach to the recent developed tools. With the analysis of the security tools and the security threats analysed at the similar way makes it easier to understand the ways by which all the security threats have been addressed at the e-commerce websites. Having said that, the research is developed to find out an appropriate methodology that would be able to find out and formulate a theoretical approach to further develop a methodology in applying the threat modelling techniques. This threat modelling technique would formulate the utilization of the analytical tools and the utility of the developed methodology put together and in this way the solution would be formalised to find out a proper methodology for the website to
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
make sure that the security vulnerabilities are met properly. The entire research has been build up on finding out a proper way in developing and maintaining the website in such a way that all these security vulnerabilities are eradicated from the system. However, it has been found during the research that most of these threat modelling techniques and analytical tools are among the practices utilized in the computer industry to reduce the volume and severity of exploitable vulnerabilities to e-commerce software applications. But most of these threat models are usually implement after the designed and development of an e-commerce application which is not the best practice. Therefore, the most probable version of utilizing this research was based upon the methodology of SDLC or software development lifecycle technique. The research has found out that only through the process of SDLC or software development lifecycle methods, a developer is able to find out the proper way of application for the embedding of a dependable and secure development of the website and imply it to the organization. While the SDLC method is followed, the developer must include the embedded security within the design to formulate an impermeable website development that allows security analyst and developers to think proactively about the countermeasures to discover available threat and avert future attack. While the research process was formulated, it was necessary to generate a research problem statement, which is usually a problem found in throughout the research work, or mostly the problem that the research is trying to solve through the entire study. This involves in formulating a way by which the problem statement is approached. In this particular case, the problem statement has been identified as the traditional way in which the website for e-commerce platforms are designed and developed. This is because, it has
been found that through these traditional processes, there have been multiple barging into the websites as there were security vulnerabilities found in the development process. The outcome of the entire design and development was found to be faulty when it came to the securitysystemoftheecommerceapplications.Therewererepeatedreportsof ransomware attacks and other ways of manipulating or theft of information for which the development process was to be blamed. This is why, the entire research has been formulated to find out a feasible way in which the vulnerabilities can be identified and for further development and design of the websites they can be avoided. Since, having vulnerabilitiesinthee-commercewebsitesarenotonlycausingproblemstothe customers of the organization, but it is also becoming obligatory in framing up a good reputation for the organization with the customers. The next phase of the research was framed to find out the research aims and the research objectives that needed to be identified before the research process was commenced altogether. Therefore, the research was found to have a particular aim of investigating the tools which have been utilized by the various software development system ever since it hasbeenimplementedinsoftwaredevelopment.Thiswouldberequiredforthe investigation of the threat modelling for the successful design and development of the e- commerce applications when they are available live to the customers online. The aim of the research also pointed at the ways in which they have been done. This is due to the fact that the reader must have a clear idea by which the research was initially planned to find out the relevant research methodology followed for collecting the data for the research. This has further raised the research objectives that was formulated so far from the research aims. The main objectives of the research were found to be focusing on the
specified requirements to which E-commerce application should meet security standard. This included, appraisal of the underlying principles in online shopping using credit card and PayPal, Overview of E-commerce security, reviewing of the different security issues in E-commerce organization, reviewing of the available security tools and security modelling approaches in E-commerce, developing a standard security model for software development methodologies in E-commerce organization, and comparing the degree of successful developed security modelling approach for E-commerce applications. However, beyond all of the formulated methodologies, research aims and objectives, it was also necessary to find out if there was any scope throughout the research. If there was no scope through the research and development of the entire software for the e- commerce websites there would be no point in developing the research further. The scope of the research highlights that the challenges that website development has been facing throughout the course of security issues since the time of its inception is the reason why the research was commenced at the first place. This research was first identified to provide solutions to the recent issues about the study the researcher aims at using past research work, current research materials, and interactive social media platforms in getting the most recent and up to date security models being used to curb or reduce security threats online. After that, the background of the entire study was formulated, which specifically implies why the security issues of the software and website development needs to be eradicated at the first place. This chapter specifically focuses on how the malicious hackers have been making it difficult for the organizations to put up with the challenges they implement for both the organization and the customers as a whole. The reasons why this particular issue
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
is forming a huge obligation to research about and find a solution for eradicating these have been described in this chapter. Furthermore, this chapter describes that the software hackers are using advance technologies and techniques in the consistent manner to access importantdataandcarryoutothersignificantactivitiestoE-commercenetwork application. In addition to that, this section also describes the electronic technologies sectors, Privacy and security are major factor. The E-commerce sector also shares these views in line with other technological fields. While some firms are faced with difficulties in making their website security sophisticated in order to provide customers with effective secure payment online, other firms like Palpay, WePay and ProPay have provided their customers with the security of assessing any website with an assurance that their information is safe. This section also clarifies that the large organizations have been investing in huge amounts of money in the ecommerce websites since the latest advancement in the technology has made it even more lucrative to invest in digitized organizations that promote ecommerce technologies. However, after it was found that these security vulnerabilities are present in the entire development and design phase, these organizations have started investing more in finding out a solution that would address and resolve the issues of ecommerce security challenges utilizing various tools and technologies. The research helps in formulating a a structured approach that enables one identify, measure and address the security hazard associated with applications and software. However, the research has its own limitations while conducting, out of which, one was that the entire research was based only on the ecommerce application payment systems that culminated through E-bay, Amazon and Konga. The research also finds out the various types of threat modelling approaches available today. These threat modelling
approached include fault tree Analysis, Attack trees, Stride and Dread. These approaches and techniques to application security have proven to be ineffective, this is evidence in their vulnerabilities, permitting applications to be attacked or damaged. A challenging task is determining with approach will give the best result when applied to specific software application or e-commerce applications. Therefore, determine how to effectively solve this security challenge using the most effective tool is crux of this project. The research scope also identifies the need of security in the ecommerce websites that forms an integral approach of the entire research. The need of the security threat was found in further details in the literature review chapter of the entire study, which finds out how the entire conceptual framework was formulated to find out why the research was needed from the aspect of the business organizations. It is an issue that needs to be addressed while conducting the entire research because at the end of the day this would be beneficial mostly to the business organizations so that they could invest in appropriately and logically. It can also be said that this particular research would make it easier for the decision making body to make effective decisions based on the research about investing in properly while developing a website as an ecommerce platform. The threat modelling technique framework that had been developed as a result mostly based upon the step by step developmental phase of the website and further discussed on how the framework should be used to make sure that the website is impermeable to the external hackers. However, it is also not to be forgotten that the entire research as a whole should not violate any kind of ethical framework that is developed during the conduction of a research. Thus, the research follows how the research had been collecting data from primary and secondary sources in the most appropriate and ethical way possible and
make sure that the observing of the E-bay, Amazon and Konga e-commerce mobile application users are concern with the security on this platform. Although the findings of the study were described in details in the later chapters, this particular section described that there were proper ethical considerations made during researching about the topic entirely. The next chapter provided an overview of the security issues in ecommerce and how they have been addressed or found out about according to the literatures and the research works by other researcher and analysts in the previous times. The entire chapter in this regard can be considered as a data collection technique developed through literature review. The articles previewed and reviewed in this regard would be considered as secondary sources throughout the research. This particular chapter focuses on all the developed methods that can be considered as an authenticated mechanism to the in e- commerce websites which are based on providing personal security identification and access control methods. This chapter also defines the specific key terms which is required for the awareness of the reader who would be going through the entire paper. The terms include, fraud, electronic thief, Security confidentiality, e-commerce integrity, and phishing. Then the chapter introduces the process of literature review, which is a conducted process developed for the data collection method through secondary sources. This chapter identifies the underlying principles in online shopping using credit card and PayPal, the ecommerce security tools, firewalls, and the types of firewalls. Therefore, the entire structure of the research has been linked to the research objective and the information or data collected through the literature review or secondary sources.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
This forms the basic criterion for the primary data collection method as the formulated questions for the research is developed with the help of this particular method of literature review. The next chapter is thus utilized for the adapted methodology which enables a clear visibility of a project by helping to ensure that any necessary decisions can be made at the earliestpossibleopportunity.Thisoutcomeisnormallydonetoavoidunforeseen circumstances while there is still time to avoid any risk outcome. In addition to that, research methodology is an efficient way of effectively managing time for a project. The chapter describes the four research methodologies were selected to be applied in the analysis process of Threat Modelling Tools and Technique used in securing e-commerce applications online, which include, prototype methods, DSDM or Dynamic Systems DevelopmentModel,SpringandScrum.Duringthisprocessaswell,theethical considerations have been taken into account and followed vigorously. The next chapter frames the data collection process that needs the evidence for the interview that has been conducted online for the entire research and includes a summary of the entire conducted research as a result. This helps in finding out all the relevant information that was needed to be found out during the research process as a whole. This is why the entire research was conducted to find out the relevant information regarding the security issues in the above mentioned areas of the ecommerce websites and how a solution can be formulated for the further development of the ecommerce websites without any sort of security issues occurring further.
6.2 Conclusion It will be a grievous mistake for one to underestimate the importance of threat modelling. Evidence has shown that there is an increase in the number of businesses going online for thesaleof theirproducts.In thisreport,appraisalhasbeenmaderegardingthe importance of e-commerce shopping and the underlying principles behind using online credit card and PayPal. Further analyses revealed the different security issues faced by my contemporary e-commerce firm, with emphasis on why a security tool and threat approach is important. The current e-commerce security tools and approaches that are beenusedtocurtailsecuritychallengesaffectingtheonlinebusinesseshasbeen evaluated. However, this study identified major areas where key security issues were not properly considered by the previous e-ecommerce website and application developers. Furthermore, it was also identified that the current existing software development cycles and early once did not fully take into cognisance application security. This paves way for many software engineers and software developers not considering security at the very beginning of their various e-commerce application developments. This has had an adverseeffectinthegrowinge-commercesector,thusdiscouragingbusiness cooperation’s and small businesses owners are very cautious and thoughtful before migrating to online systems. The threat modelling approach is a dynamic process, owing to the fact that threat and its initiatorsareconstantlyresearchinglookingforloopholesfordifferentonline applications.Thisconstantlookoutistoinvestigatewaystohacke-commerce applications, thereby compromising vital information. To prevent such, every security analyst has to be proactive vigilant before an application is built and after. In bit to go
ahead of the attackers this research was conceived. This leads to a new security approach oftacklingsecuritye-commerceapplicationusinganapplicationde-composition, determininghighrankingthreatsanddeterminingpossiblecountermeasureand mitigation. Agile methodology was used to develop this approach, with constant researching and observationsonthecurrenttreattowardse-commerceapplication.Additionally, explanation has been made how this report can help security analyst and developers to use the methods explained before and after they have created an e-commerce application. Finally a website was developed as a procedure to how this new security threat modelling approach has been documented and explained. This is to protect e-commerce applications from continues security threat. This will invariably assist e-commerce enterprises to reduce cost, increase market share, and improve relationship between buyers and sellers on their application. An appropriated ethical consideration was at the forefront of this research as well as a documentation of the time plan for this report to be completed. 6.3 Recommendation It is expected that further research should be carried out in securing e-commerce applications considering the global threat to online business. In addition, appropriate security method and techniques should be considered before web developers proceed into developing an e-commerce application. Due to the daily increase in the number of challenges in securing e-commerce applications, I am proposing that modern software development life cycle should contain security as a main requirement or process. This is because the old version of SDLC like waterfall and prototype approach did not give any
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
detail about security, which has led to software developers, not considering security as a major challenge. Also, large e-commerce companies should collaborate to raise funds to support research that will help in securing their system. E-commerce firm should provide an avenue where they can constantly assure their users that information provided are secured and privacy will not be comprised. Also, regular contact with the application users on how to keep it secure from cybercriminals, to enhance good consumer relationship needed for rapid growth in the e-commerce industries will be a welcome idea.
References Amini, A.,Jamil,N.,Ahmad, ARand Z`aba, AR (2017).Threat Modelling Approaches for Securing Cloud Computing. [Online] Available at:http://scialert.net/fulltext/? doi=jas.2015.953.967&org=11 [Accessed 29 Mar. 2017]. Anicas, M (2015). "What Is A Firewall And How Does It Work? | Digital ocean". Digitalocean.com. N.p., 2017. Web. 11 Apr. 2017. British Educational Research Association (2001).Ethical Guidelines for Educational Research. 1st ed. [eBook] Endsleigh Street, London WC1H 0ED: British Educational Research Association, pp.5-7. Available at: http://moodle.bcu.ac.uk/pluginfile.php/1162449/mod_resource/content/1/BERA-Ethical- Guidelines-2011.pdf [Accessed 3 May 2017]. Bruton, W. (1999). Fraud on the Revenue: Emerging Cyber Cash, Cyber Banks and Fraud.Journal of Financial Crime, 7(1), pp.75-78. Carey, T, & Mason, R (1983),'Information System Prototyping: Technique, Toolsand Methodologies', Infor, 21, 3, pp. 177-191,Business Source Complete, EBSCOhost, viewed 28 February 2015 Chopra, A. (2016). Security Issues of Firewall.International Journal of P2P Network Trends and Technology, 22(1), pp.4-9. Cobb, M. (2011)Add threat modelling to your web application security best practices. Availableat:http://www.computerweekly.com/tip/Add-threat-modelling-to-your-Web- application-security-best-practices(Accessed: 8 February 2017).
Dara, J. and Gundemoni, L. (2017). Credit card security and e-payment : enquiry into credit card fraud in e-payment. [online] Diva-portal.org. Available at: http://www.diva- portal.org/smash/record.jsf?pid=diva2%3A1023638&dswid=-7453 [Accessed 30 Mar. 2017]. Dickens, B. and Cook, R. (2005). Conflict of interest: Legal and ethical aspects. International Journal of Gynaecology & Obstetrics, 92(2), pp.192-197. DSouza,R.(2016)3approachestothreatmodelling.Availableat: http://threatmodeler.com/approaches-to-threat-modeling/(Accessed: 8 February 2017). Eastep, T. (2017). Basic Two-Interface Firewall. [Online] Shorewall.org. Available at: http://shorewall.org/two-interface.htm [Accessed 18 Apr. 2017]. Gibson,R(1998),'Softwareprocessmodelling:theory,resultsandcommentary', Proceedings Of The Thirty-First Hawaii International Conference On System Sciences, 3, p. 399, Publisher Provided Full Text Searching File, EBSCOhost, viewed 28 February 2015. Gritzalis, S. (2005). Public Key Infrastructure: Research and Applications.International Journal of Information Security, 5(1), pp.1-2. Han, K.H., Kang, J.G. and Song, M. (2009) ‘Two-stage process analysis using the process-based performance measurement framework and business process simulation’, Expert Systems with Applications, 36(3), pp. 7080–7086. Hanumesh, V. and Sunder, K. (2000).A Study of Security Issues in E-Commerce Applications. IETE Technical Review, 17(4), pp.209-214.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Hayashi,F.(2012).TheEconomicsofPaymentCardFeeStructure:Policy Considerations of Payment Card Rewards.SSRN Electronic Journal, 1. Herrmann, G. and Herrmann, P. (2004). Introduction: Security and Trust in Electronic Commerce.Electronic Commerce Research, 4(1/2), pp.5-7. Indi T, and Raut, S. (2012). Biometric Feature based Person Unique Identification System.International Journal of Computer Applications, 51(13), pp.7-12. ITknowledgeportal,(2015),SoftwareDevelopmentMethodologies.available: http://www.itinfo.am/eng/software-development-methodologies/.Lastaccessed23th March 2015 Jamil, A., Jamil, D., Ahmad, A.R. and Z`aba, M.R. (2015) ‘Threat modeling approaches for securing cloud Computing’,Journal of Applied Sciences, 15(7), pp. 953–967. Kelly, E. and Rowland, H. (2000).Ethical and online privacy issues in electronic commerce. Business Horizons, 43(3), pp.3-12. Корнієнко, Б. (2006). Analysis technologies firewall.Proceedings of National Aviation University, 28(2). Kumar,S.(2017a).ReviewonNetworkSecurityandCryptography.[online] Pubs.sciepub.com. Available at: http://pubs.sciepub.com/iteces/3/1/1/ [Accessed 21 Apr. 2017]. Kumar,S.(2017b).ReviewonNetworkSecurityandCryptography.[online] Pubs.sciepub.com. Available at: http://pubs.sciepub.com/iteces/3/1/1/ [Accessed 21 Apr. 2017].
Lee, K.-H. and Park, Y.B. (2016) ‘Adaption of integrated secure guide for secure software development Lifecycle’,International Journal of Security and Its Applications, 10(6), pp. 145–154. Li, X., He, K., Feng, Z. and Xu, G. (2012). Unified threat model for analyzing and evaluating software threats.Security and Communication Networks, p.n/a-n/a. Lin, K. (2017). Online Transaction Security Risk Management for E-commerce Web Applications.[Online]Article.sciencepublishinggroup.com.Availableat: http://article.sciencepublishinggroup.com/html/10.11648.j.ajomis.20170201.12.html [Accessed 16 Apr. 2017]. Long, P. and Vy, P. (2016a). Internet Banking Service Quality, Customer Satisfaction and Customer Loyalty. International Journal of Strategic Decision Sciences, 7(1),pp.1- 17. Long, P. and Vy, P. (2016b). Internet Banking Service Quality, Customer Satisfaction and Customer Loyalty:.International Journal of Strategic Decision Sciences, 7(1), pp.1- 17. Mason, S. (2014). World electronic signature legislation. Digital Evidence and Electronic Signature Law Review,10(0). McGrath, J. (2017).How has technology changed the way we conduct business. [Online] HowStuffWorks. Available at: http://money.howstuffworks.com/technology-changed- business.htm [Accessed 15 May 2017].
Mehta,R.(2016)ThreatModeling_Seminar.Availableat: http://www.slideshare.net/RoshanMehta1/threat-modelingseminar(Accessed: 8 February 2017). Menkus, B. (1997) ‘Understanding the denial of service threat’,EDPACS, 24(9), pp. 11– 17. Meyer, H. (2006a). Firewall fights intranet threat. Computers & Security, 15(6), p.519. Meyer, H. (2006b). Firewall fights intranet threat. Computers & Security, 11(3), p.432. Moore, A. (2007). Biometric technologies — an introduction. Biometric Technology Today, 15(1), pp.6-7. Morgan, D. (2004a). Network security and custom Web applications. Network Security, 2004(4), pp.15-17. Morgan, D. (2004b). Network security and custom Web applications. Network Security, 2004(4), pp.20-22. Nilsson, A, & Wilson, T (2012), 'Reflections on Barry W. Boehm's "A spiral model of software development and enhancement International Journal Of Managing Projects In Business, 5, 4, p. 737,Publisher Provided Full Text Searching File, EBSCOhost, viewed 28 February 2015. Ott, W.E. (2008) ‘The threat of hackers: The need to secure patient data & other important records on your agency’s notebook computers’,JEMS: Journal of Emergency Medical Services, 33(8), pp. 68–71.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Potter, B. (2009).Microsoft SDL Threat Modelling Tool. Network Security, 2009(1), pp.15-18. Pressman, R.S. (2009)Software engineering: A practitioner’s approach. 7th edn. Boston: McGraw Hill Higher Education. Pye, G. andWarren,M.(2007). E-businesssecuritybenchmarking:amodeland framework.International Journal of Information and Computer Security, 1(4), p.378. Riley, S. and Chaparro, B. (2006a). User Password Generation Practices and Strong Password Guideline Compliance.Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 50(17), pp.1812-1816. Riley, S. and Chaparro, B. (2006b). User Password Generation Practices and Strong Password Guideline Compliance.Proceedings of the Human Factors and Ergonomics Society Annual Meeting,50(17), pp.1814-1819. Samant, A. (2008).Managerial finance. 1st ed. [Bradford, England]: Emerald, pp.23-25. Sangita, D. and Madhuri, S. (2015) ‘Securing online banking transaction using predictive approach of hidden Markov model’,International Journal of Computer Applications, 128(7), pp. 14–17. Savola, R. and Abie, H. (2009). On-Line and Off-Line Security Measurement Framework for Mobile Ad Hoc Networks.Journal of Networks, 4(7). Savage, M. (2001).PayPal success in Web payments market could threaten e-purse.Card Technology Today, 13(6), pp.3-4.
Schneier, B. (2000)Secrets and lies: Digital security in a networked world.2nd edn. New York, NY: John Wiley & Sons. Sample, W. (2015).A threat-based approach to security. Computer Fraud & Security, 2015(2), pp.7-10. Shah,A(2001),'AFrameworkforthePrototype-basedSoftwareDevelopment Methodologies',Journal Of King Saud University - Computer And Information Sciences, 13, pp. 111-131, ScienceDirect, EBSCOhost, viewed 28 February 2015 Smith, F. (2016). 10 Tips to Improve Application Performance | NGINX. [Online] NGINX.Availableat:https://www.nginx.com/blog/10-tips-for-10x-application- performance/ [Accessed 21 Mar. 2017]. Stoica,M, Mircea,M,& Ghilic-Micu,B (2013), ‘SoftwareDevelopment:AgileVs Traditional’,Informatica Economica,17, 14, pp 64-65, Business Source Compelete, EBSCOhost, viewed 8 May 2017. Tomlinson, M. (2000) ‘Tackling e-commerce security issues head on’, Computer Fraud & Security, 2000(11), pp. 10–13. Virtue, T. (2013a). Payment card industry data security standard handbook. 1st ed. Hoboken, N.J.: Wiley. Virtue, T. (2013b). Payment card industry data security standard handbook. 1st ed. Hoboken, N.J.: Wiley Wagner, S., Madsen, P. and Ammer, C. (2009) ‘Evaluation of different approaches for modelling individual tree seedling height growth’,Trees, 23(4), pp. 701–715.
Weston,S.(2016)Applicationsthreatmodelling.Availableat: http://resources.infosecinstitute.com/applications-threat-modeling/#gre(Accessed:8 February 2017). Chen, Y. (2002). Signature files and signature trees. Information Processing Letters, 82(4), pp.213-221. Zalenski, R. (2002). Firewall technologies. IEEE Potentials, 21(1), pp.24-29.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Appendix 1. Time Scale Plan Time scale planning is an important part of a reasonable sized project as it helps in forecasting a well set out structure of the scheduled activities to be completed and its deliverables. This is an intensive project and a provisional time for each scheduled task to be achieved for this research is below. A detailed report is shown on Gantt chart in the below. S/NTo doTime scaleDeliverables 2Security tool study15daysQuestionnaire questions and Interview List 3Securityapplication study 20daysDiscussions and Test Plan 4Developinganew approach 16daysResults and Conclusions 5Comparingthe developedapproach with existing one 14daysEvaluation Table 1: Time plan 2. Support Used For this project support will be mainly received from my personal supervisor, library, books and academic resource centre at Birmingham City University. In addition, the university academics website such as IEEE, Google scholar, ProQuest and ACM library will be used to support the research. E-commerce websites and resources from E-bay, Amazon, Jumia and Konga will be used as case studies to enhance this research. Also, used html and java programming language to develop a functional website hosted on a local server.
3. Skills Audit To complete any research process skills are needed to be put in practice for a successful project. Over the last one year, I have gained a lot of skills that was of great benefit to helping, completing this research. Some of the research skills gained included data flow diagram,databaseevaluation,businessintelligence,strategicITplanningdata correlation, research skills, project management and time management. In addition, my ability to comprehensively read, document report academically and paraphrase sentences professionally has improved. However, for this project to be successfully completed they were skills I needed to develop. Developed skills in using JavaScript and html to making awebsiteandframeworkdevelopment.Also,gainedinsightconductingacademic interviews, research analysis, research design, research and implementation and testing process to help me increase understanding of the entire project.