Hi LimeSurvey,

We're looking to use a self hosted LimeSurvey installation to collect patient follow-up data within the UK for a clinical study but our Information Security team is requesting additional information regarding your software development practices before approving the system for use. Would you be able to provide me any information you have on the following?:

"What we are trying to ask you below is that if LimeSurvey have conducted any type of testing in their code. This includes:
• Software composition analysis
• Dynamic analysis
• Static analysis
• Fuzzing (aka Fuzz Parsers)

Also, we would like to know if LimeSurvey follows any Secure Software Developing Practices? Some will be:
• Input Validation
• Output encoding
• Access control
• Authentication and password management (e.g. hashing of passwords is only on servers?)
• Session management
• Error handling and logging
• Database security
• Secure code review"

In addition, the IS team has also asked if you have conducted any Penetration Testing on your code and whether you have any reports you can provide.

Many Thanks,
Omar

Since this an opensource tool, your Information Security team can answer many questions on their own. Some questions can only be answered by the administrator of the selfhosting environment (e.g. Database security, since the database is not shipped with LimeSurvey).

When I look at the amount of questions, I would assume that codereview by your IS-team is standard.

The security issues of the past can be found here.
www.cvedetails.com/vulnerability-list/ve...6900/Limesurvey.html

The code tests used (Scrutinizer and TravisCI) can be found here.
github.com/LimeSurvey/LimeSurvey

No continuous tests for security are known to me. If someone would conduct them, they would be known to the public (Cause the amount of time and money would raise some interest or demands). The SaaS offer by LimeSurvey GmbH might be different.

Thank you, I've passed this on the IS team, hopefully they will not have any further questions