[OWASP-Security101] Application Help Desk with Confidential Information

Tomás Gutiérrez tomas.gutierrez at scalablepath.com
Fri Nov 7 14:23:08 UTC 2014

Hi everyone,

I'm working on a project with the following topology:

   - Web application where end-users can submit a request containing PII
   - Backend where organizational users can process the requests
   - Need to interact with end-users through secure channels to
   correct/validate confidential data

Currently investigating:

   - Voltage SecureMail <http://www.voltage.com/products/securemail/>
      - Nutshell: MX server --> Encrypts message && stores in their system
      --> Notifies user with public key & message attachment -->
requires user to
      create an account in their system & validate identity (email validation)
      --> Decrypts message & displays content (on their system) --> Allows
      response (same manner as before)
      - ~$6k & $600/yr thereafter
   - Zendesk
      - Pending technical discussion on PII data - not very hopeful
   - Homegrown encrypted message exchange which sends a link to the end
   user, and requires challenge from PII to interact with thread - just an
   idea at this time

Haven't found anything that I love so far.

Thoughts from the community? Would be interested in comments on the above,
or any new ideas for this type of security pattern.

Happy Friday!


More information about the Security101 mailing list