Tutorial - Secure Web Based Job Application

In the effort to minimize costs, a lot of companies create web based forms for job application. But web hosting is mostly outsourced to hosting providers, which host hundreds of sites on the same server, thus potentially exposing the personal data of applicants to hacker attack.

Here is a blueprint design for making a web based employment application with minimal risk of unnecessary exposure of the personal data of the applicants.

The process
The corporate concept of the web based job application is using the following process:

  • The applicant fills in a web form, and the information is stored in a database.
  • The corporate HR operator accesses the database and applies appropriate filters to applicants to generate an automatic shortlist from competencies and education filters
  • Applicant data within the database can have automatic retention setting to delete old records.

Summary Risk Analysis
The risk analysis of the design has the following assumptions:
  1. Web hosting is outsourced
  2. There is no direct link from the hosted web site to the corporate network
  3. The site is hosted on shared hosting with generic security provisions provided by the hosting provider for hosted all sites
  4. HTTPS is available for any web page on the outsourced hosting
With these assumptions in place, the main risk to the applicant data is from an attacker who compromises any of the hosted sites and gains access to the applicant database - should it be kept on the hosted servers.

Solution design
To mitigate the identified risk, the design separates the location of application form from the actual database of personal information. The entire design is presented on the diagram below, with each numbered step described in detail:


  1. The applicant web form is hosted on the web hosting server. The web form is accessed via HTTPS. The applicant fills in the web form
  2. The web form packages the information into an XML file which is sent as an attachment of an signed and encrypted e-mail message to the corporate e-mail server
  3. The signed and encrypted e-mail message is read via an automated process, signature is verified and the message is decrypted
  4. The XML file is extracted and parsed by a process on the internal application server
  5. The parsed information of the job applicant is sent to the HR database, located within the security zones of the corporate network - no access from the outside
  6. The HR operator uses a web interface to access the stored information via the internal application sever
  7. The internal application server accesses the applicant data stored in the HR database

Conclusion
The proposed design can be used as a prototype for job application portal which minimizes risks of data theft. There can be several modifications or variants of the design to target specific requirements and expectations.

Ofcourse, this design will be disputed by most ISPs since they claim that their sites are safe.

But in a corporate environment, the corporation is responsible for protecting the personal information of the registered persons. And should a security breach occur, no amount of penalties to the ISP will reduce the responsibility of the corporation.

Talkback and comments are most welcome

Related posts
8 Steps to Better Securing Your Job Application
Tutorial - Measures for minimizing Spear Phishing Attacks
8 Tips for Securing from the Security experts
Nobody's safe - Google's personal data stolen

No comments:

Designed by Posicionamiento Web