[OWASP-Security101] Application Help Desk with Confidential Information

Tomás Gutiérrez tomas.gutierrez at scalablepath.com
Fri Nov 7 14:23:08 UTC 2014


Hi everyone,

I'm working on a project with the following topology:


   - Web application where end-users can submit a request containing PII
   data
   - Backend where organizational users can process the requests
   - Need to interact with end-users through secure channels to
   correct/validate confidential data


Currently investigating:

   - Voltage SecureMail <http://www.voltage.com/products/securemail/>
      - Nutshell: MX server --> Encrypts message && stores in their system
      --> Notifies user with public key & message attachment -->
requires user to
      create an account in their system & validate identity (email validation)
      --> Decrypts message & displays content (on their system) --> Allows
      response (same manner as before)
      - ~$6k & $600/yr thereafter
   - Zendesk
      - Pending technical discussion on PII data - not very hopeful
   - Homegrown encrypted message exchange which sends a link to the end
   user, and requires challenge from PII to interact with thread - just an
   idea at this time

Haven't found anything that I love so far.

Thoughts from the community? Would be interested in comments on the above,
or any new ideas for this type of security pattern.

Happy Friday!

Tomás
http://about.me/tomas.gutierrez


More information about the Security101 mailing list