[OWASP-Security101] Application Help Desk with Confidential Information

NightShade avghacker at gmail.com
Fri Nov 14 13:58:55 UTC 2014


Just some other thoughts:

There are also a number of non application factors to consider as well.  
I'm going to assume you are using a tiered architecture where the App 
server and the DB server are separate.  Additionally you probably want 
to have a slave DB for backup and more than one App server for high 
availability.  All of those servers need to be hardened in accordance 
with best practices.  Additionally, all of these servers should be on 
their own VLAN for isolation from the local user population.

Some obvious, but often overlooked points:

Don't hard code passwords in the application anywhere
Ensure you are following a Secure SDLC process (code test, scanning for 
vulnerabilities, etc)

Voltage also makes a product that can do data masking so your backend 
staff can access portions of the data while other parts are encrypted 
(ie. they can see last 4 digits of SSN if required for security 
confirmation, but not the rest).



On 11/13/2014 6:33 PM, Greg Merideth wrote:
> For a health insurance data collection system I setup a registration system that requires a two-factor key along with the clients credentials.  In the case where users don't have smartphones I wrote a Windows .NET app they can download that mirrors what the cell phone authentication system does.  I assumed any path will be compromised so I made each link one-time use.
>
> Anyone accessing a client's email will find that none of the links in any email message work even with the one-time key.  When an internal rep wants the end user to update their information a one-time link is generated and the user 2FA's in and updates the data.  It's a trade-off between users browsers crashing and needing a new link and their PII data leaking from our end.
>
> That and the usual encrypted passwords and social-security numbers in the database.
>
> We also don't allow password resets - a password reset request goes to an internal team member who verifys over the phone or other methods who that person is and then sends a link to reset either the password or the 2FA code.
>
> -----Original Message-----
> From: Tomás Gutiérrez [mailto:tomas.gutierrez at scalablepath.com]
> Sent: Friday, November 7, 2014 9:23 AM
> To: security101 at lists.owasp.org
> Subject: [OWASP-Security101] Application Help Desk with Confidential Information
>
> Hi everyone,
>
> I'm working on a project with the following topology:
>
>
>     - Web application where end-users can submit a request containing PII
>     data
>     - Backend where organizational users can process the requests
>     - Need to interact with end-users through secure channels to
>     correct/validate confidential data
>
>
> Currently investigating:
>
>     - Voltage SecureMail <http://www.voltage.com/products/securemail/>
>        - Nutshell: MX server --> Encrypts message && stores in their system
>        --> Notifies user with public key & message attachment --> requires user to
>        create an account in their system & validate identity (email validation)
>        --> Decrypts message & displays content (on their system) --> Allows
>        response (same manner as before)
>        - ~$6k & $600/yr thereafter
>     - Zendesk
>        - Pending technical discussion on PII data - not very hopeful
>     - Homegrown encrypted message exchange which sends a link to the end
>     user, and requires challenge from PII to interact with thread - just an
>     idea at this time
>
> Haven't found anything that I love so far.
>
> Thoughts from the community? Would be interested in comments on the above, or any new ideas for this type of security pattern.
>
> Happy Friday!
>
> Tomás
> http://about.me/tomas.gutierrez
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org



More information about the Security101 mailing list