Research

Lindsays' thesis research was reviewing How to Shop for Free Online – Security Analysis of Cashier-as-a-Service Based Web Stores, a paper on logic flaws in e-commerce software when it uses a 3rd party cashier (e.g. PayPal), and how those flaws were exploited to purchase something online for free or at a lower price. She created a case study on the paper to help teach students about identifying logic flaws, and how much of an impact flaws can have. This is important because according to Gary McGraw in Software Security: Building Security In, about 50% of software vulnerabilities are bugs in the code itself, which can often be found using various scanners. The other 50% are design flaws, which you can't really scan for; you need people with security knowledge to find them.

A course module with a case study was developed to teach students about the topic of logic flaws, and how to test for them with a manual code review method. It was taught at NC A&T State University. A paper on the course module was accepted to the Frontiers in Education 2015 conference, and a poster was presented at the Women in Cyber Security (WiCyS) 2015 conference. The poster is available below.

Lindsays' previous research was on the topic of Clickjacking. Clickjacking is a form of UI-Redress attack where a victim thinks they are browsing the webpage they see, but click actions are actually on a hidden webpage. The attack does not use software vulnerabilities in a web application, but takes advantage of the HTML iFrame property and often the CSS opacity property. Clickjacking only works if the victim is already logged into a website –such as a social networking site. Clickjacking is a fairly static attack, and Lindsay was specifically interested in the change of attacks over time. She presented a poster with her research results at the Women in Cyber Security (WiCyS) 2014 conference and the College of Engineering Graduate Poster Competition. Below is an image of the poster and the poster text.

Lindsay developed a hands-on course module on Clickjacking, which was taught at NC A&T State University. A paper on the course module was accepted to the Information Security Curriculum Development (InfoSecCD) conference. It was published by ACM and Information Security Education Journal (ISEJ).

After assisting another student with a course module on Web Tracking and Privacy, Lindsay helped write a paper on teaching students about online behavioral tracking and the related privacy, legal, and regulatory issues. This was submitted to the 7th Annual Southeastern Cyber Security Summit.