Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Penetration Testing and Application Security

  • omarisgreat
  • omarisgreat's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
4 years 8 months ago #186405 by omarisgreat
Hi LimeSurvey,

We're looking to use a self hosted LimeSurvey installation to collect patient follow-up data within the UK for a clinical study but our Information Security team is requesting additional information regarding your software development practices before approving the system for use. Would you be able to provide me any information you have on the following?:

"What we are trying to ask you below is that if LimeSurvey have conducted any type of testing in their code. This includes:
• Software composition analysis
• Dynamic analysis
• Static analysis
• Fuzzing (aka Fuzz Parsers)

Also, we would like to know if LimeSurvey follows any Secure Software Developing Practices? Some will be:
• Input Validation
• Output encoding
• Access control
• Authentication and password management (e.g. hashing of passwords is only on servers?)
• Session management
• Error handling and logging
• Database security
• Secure code review"

In addition, the IS team has also asked if you have conducted any Penetration Testing on your code and whether you have any reports you can provide.

Many Thanks,
Omar
The topic has been locked.
More
4 years 8 months ago #186408 by jelo
Since this an opensource tool, your Information Security team can answer many questions on their own. Some questions can only be answered by the administrator of the selfhosting environment (e.g. Database security, since the database is not shipped with LimeSurvey).

When I look at the amount of questions, I would assume that codereview by your IS-team is standard.

The security issues of the past can be found here.
www.cvedetails.com/vulnerability-list/ve...6900/Limesurvey.html

The code tests used (Scrutinizer and TravisCI) can be found here.
github.com/LimeSurvey/LimeSurvey

No continuous tests for security are known to me. If someone would conduct them, they would be known to the public (Cause the amount of time and money would raise some interest or demands). The SaaS offer by LimeSurvey GmbH might be different.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
  • omarisgreat
  • omarisgreat's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
4 years 8 months ago #186442 by omarisgreat
Replied by omarisgreat on topic Penetration Testing and Application Security
Thank you, I've passed this on the IS team, hopefully they will not have any further questions
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose