Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now

Question in regards to security

We are looking inot implementing osTicket as a part of our support system but I have a very important question...

We work with financial institutions and as such, customers will occasionally be attaching documents to tickets with personal or confidential information.

That said, how secure would osTicket be for those purposes. MY assumption is that it is fairly secure as I even see a vulnerabilities section in the forum but I would appreciate some input.

Thanks!

Comments

  • The only ways that someone would be able to access the attached files is:

    1. The staffs account are compromised. This can be further secured by limiting access to this section to a select subnet or group of subnets. This would limit the access to the departments that the employee has access to and the tickets assigned to those departments.

    2. The ticket openers credentials are compromised. This can be further secured by an addition of a simple web authentication to actually get to the server in the first place. This would limit the access to just the tickets that the user opened and thus only that customers attachments.

    3. The MySQL database credentials are compromised. This relies on the servers security. If someone breaks into server itself then you can be pretty sure that they will be able to retrieve all your documents once they get the osTicket DB creds.

    I find it important to note that you will have pretty much the same attack vectors with any web based application.

    If you are very concerned with this sort of thing, you could delete tickets with attachments after X days, or mod osTicket to remove attachments after x amount of time.

    Does that answer your question?
  • That helps very much thank you. That is what I was thinking but you stated it far better than I could have.
  • Glad to be of assistance. :)
This discussion has been closed.