Questionmark Perception is designed to deliver high stake assessments over the Internet or intranet. To accomplish this successfully, Perception utilizes sophisticated security mechanisms that work alongside the security configuration of corporate and academic networks. This ensures that Perception is secure enough that it cannot be compromised.
Some security improvements for Perception version 4 are included in the following table.
| Security Feature |
Description |
| Encrypted Password |
All administrator passwords are encrypted when stored in the database |
| MD5 Checksum for URLs |
MD5 (Message-Digest algorithm 5) is a widely used cryptographic hash function with a 128-bit hash value. This has been used to ensure that URLs containing sensitive parameters have not been manipulated when passed back to Perception |
| Cookies not used to store sensitive information |
Cookies stored on client machines only contain user preferences. They do not contain sensitive information such as answers, password, etc |
| Buffer overflows |
A buffer overflow is an anomalous condition where a process attempts to store data beyond the boundaries of its fixed memory allocation. Perception uses the techniques available in the .NET framework and dynamic buffers to reduce the risk of this occurring |
| SQL Injection limitations |
SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. Perception has been developed and tested to reduce the risk of this occurring by using parameterized queries or stored procedures |
| Encryption of QML Data |
Questions stored in the system are stored as QML. The QML code is encrypted when stored in the database so that changes can not be made unless the appropriate access is granted |
| SSL Encryption |
Secure Sockets Layer (SSL), is a cryptographic protocols which provide secure communications over the Internet. Perception can be configured to use SSL to ensure communication between participants and the server are secure. For further details about using Perception with SSL, please refer to Can I run Perception Server under SSL (Secure Sockets Layer)? |
| Ability to enforce user access control |
Perception can be configured to use Single Sign On. SSO provides the organizations with the ability to manage and enforce user access to Perception from other applications. For further details about SSO, please refer to What is Best practice on how to develop software to add Single Sign-On to Perception into another application? |
| Inactive session timeouts |
If a session has remained inactive a set time the system will automatically close the session and not allow the user to carryout another task until they have logged back in. This reduces the risks associated with a user leaving an assessment or Enterprise Manager running after they have left the computer. The timeout can be adjusted in the settings for further details please refer to the [Settings] section of the What server settings can I make in the perceptionv4.ini file? Knowledge Base article |
| Production of updates (Hotfixes) |
Hotfixes are produced when an issue is identified, these can be found on the hotfixes page |
| Cross scripting audit |
Perception has under gone a security audit and has been revised to ensure that the vulnerabilities that were identified have been corrected |
| Ability to authenticate Perception users through 3rd Party systems |
Perception participants and administrators can also be authenticated from 3rd party software, such as SumTotal LMS, Shibboleth etc. For further details please refer to the following Knowledge Base articles.
|
In addition to the above security improvements, Questionmark continually reviews its code to ensure that the software remains stable and secure. With hotfixes and updates being released swiftly after a potential security hole has been identified.
Questionmark also has the ability to call on a secure browser to present to participants. The secure browser, Questionmark Secure,
is designed to provide a secure environment to deliver high stakes assessments such as tests and exams. Questionmark Secure is capable of the following features:
 |
Questionmark Perception relies heavily on the security that is provided by the operating environment. Without the operating environment being setup securely the features that are embedded within Perception are ineffective. For some further details about hardening your Windows environment please refer to:
Windows Server 2003 Hardening List
|
knowledge base 
