ScienceSoft Global Menu icon ScienceSoft Global

Careers

For journalists

email contact@scnsoft.com en flag +1 214 306 68 37
en flag +1 214 306 68 37
Contact us
Security Testing Paves the Way for Secure Expansion of Clinical Trial Platform With eRegulatory Module

Security Testing Paves the Way for Secure Expansion of Clinical Trial Platform With eRegulatory Module

Industry
Healthcare, Life Sciences, Information Technology, Software products
Technologies
AWS, Azure

About Our Client

The Client is a US healthcare technology provider offering an electronic clinical trial management platform.

Post-Acquisition Assurance Required for Secure Platform Expansion

To uphold the strong security posture and compliance of its existing Clinical Trial Management System (CTMS) and cloud infrastructure, the Client sought independent security assessments. Protecting sensitive clinical trial data was central not only to meeting HIPAA, FDA 21 CFR Part 11, and SOC 2 requirements, but also to reinforcing customer trust and reducing the risk of regulatory or reputational exposure. At the same time, the Client was expanding its platform capabilities through the acquisition of a regulatory documentation management solution (an electronic Trial Master File, or eTMF). The company wanted to verify that this new system met the same security and compliance standards as its CTMS, ensuring it could be integrated safely and without undermining the confidence of its healthcare and life sciences customers.

The Client carefully shortlisted cybersecurity vendors and eventually commissioned ScienceSoft thanks to our hands-on experience in enabling security and data privacy for healthcare software, specifically CTMS and eTMF.

Application Pentests and Cloud Security Reviews

To ensure HIPAA compliance, ScienceSoft signed a Business Associate Agreement (BAA) with the Client before our security testing team embarked on the project. The project comprised gray-box penetration testing of the Client’s CTMS web app, AWS and Azure infrastructure security review, and gray-box penetration testing of the acquired eRegulatory solution’s web app and API. ScienceSoft’s team aligned the security testing activities with PTES, OWASP Web Security Testing Guide, and NIST 800-115 methodology and classified the discovered issues according to OWASP TOP 10 and OWASP API TOP 10.

Phase 1: Gray-Box Pentesting of the CTMS Web Application

ScienceSoft’s security experts performed gray-box penetration testing of the CTMS web application using user credentials provided by the Client and within a controlled environment, ensuring that the test had no impact on real trial data. During the assessment, the testers identified several severe vulnerabilities, including an SQL injection flaw. By exploiting this vulnerability, they successfully gained unauthorized access to the application’s database, where they retrieved usernames and password hashes. This demonstrated how an actual attacker could escalate the issue to compromise sensitive data and user accounts.

Our testers recommended the following measures to fix the detected security issues:

  • Apply secure coding practices to prevent direct injection of user input into database queries, an attack known as SQL injection. This would reduce the risk of attackers manipulating database requests to access or alter sensitive data.
  • Validate user input based on strict, predefined formats (e.g., email patterns, name character sets) and reject any input that fails validation to block malicious content from entering the system. This would reduce the risk of client-side script injection and markup abuse.
  • Apply HTML encoding to all user-supplied data before including it in web responses to prevent execution of malicious scripts in the user's browser (a common cause of cross-site scripting attacks).
  • Disable weak cipher suites (e.g., CBC-based ciphers) in server TLS configurations to protect encrypted traffic from decryption, especially in man-in-the-middle scenarios.
  • Include anti-CSRF tokens in state-changing requests and configure the SameSite attribute for cookies to prevent cross-site request forgery attacks.

After the Client concluded the remediation activities, ScienceSoft conducted a re-test and confirmed the strong cybersecurity posture of the CTMS web application.

Phase 2: AWS and Azure Infrastructure Security Review

ScienceSoft began with the AWS security review, which covered cloud storage, relational and NoSQL databases, and core networking components. The audit revealed 10 security issues, and ScienceSoft’s team drew up a list of remediation measures, such as:

  • Enable Multi-Factor Authentication (MFA) for all IAM users to reduce the risk of unauthorized account access, even if a password is compromised.
  • Restrict public access to RDS instances to reduce the risk of brute-force attacks, SQL injection, and data theft.
  • Enable MFA Delete on S3 buckets to protect trial documentation and regulatory records from unauthorized or accidental deletions and to support compliance with data retention policies.
  • Configure Network ACLs to restrict access to admin ports and prevent attackers from directly accessing critical resources, e.g., over SSH or RDP.
  • Enable AWS Config to continuously track resource configurations, aiding in change control and audits.
  • Enable Amazon GuardDuty for threat detection and alerting.
  • Enable S3 versioning to retain historical versions and support recovery of overwritten or deleted documents, ensuring traceability and data integrity.
  • Enforce IAM password policies with 90-day expiration to reduce exposure time for compromised passwords and enforce regular credential updates in line with healthcare security best practices.
  • Deactivate unused IAM credentials after 45 days to close off potential entry points from forgotten or abandoned accounts that could be exploited without detection.
  • Enable VPC Flow Logs to monitor network traffic and detect abnormal access patterns or data movement that may indicate policy violations or breaches.

ScienceSoft followed with an Azure security review that covered virtual machines, cloud storage, managed SQL and NoSQL databases, Kubernetes clusters, and built-in security tooling. Our experts identified 55 security issues and compiled a list of suggested remediation activities, including:

  • Encrypt storage accounts and databases with Customer Managed Keys (CMKs) to protect sensitive clinical and regulatory data against unauthorized access and support compliance with HIPAA, GDPR, and FDA 21 CFR Part 11.
  • Encrypt all OS and data disks using CMKs to ensure that all storage at rest is protected.
  • Restrict public access to RDP, SSH, HTTP(S), and UDP traffic, minimizing exposure to remote attacks.
  • Configure network access rules to deny access to storage accounts by default and allow only specific trusted networks, enforcing a zero-trust model and preventing unauthorized access to sensitive storage assets.
  • Set up logging and monitoring (NSG flow logs, storage logging, etc.) with a minimum retention period of 90 days, enabling forensic and auditing capabilities critical for regulated environments.
  • Enable Multi-Factor Authentication (MFA) for all users, ensuring an extra layer of protection from unauthorized access.
  • Restrict Azure AD portal and directory permissions (e.g., limit guest invites, app registration, admin portal access), establishing a tight control over identity scope and propagation and reducing insider risks.
  • Set up Microsoft Defender for Containers and Azure App Service, enabling vulnerability and anomaly detection in containerized workloads and application hosting environments.
  • Enable activity log alerts for firewall rule changes, security policy deletions, IP address updates, and other critical changes, improving visibility into suspicious operations that could compromise data or compliance.
  • Enable secure data transfer settings and enforce SSL for storage and managed database services to protect data in transit.

The Client followed the remediation steps suggested by ScienceSoft and implemented stronger access controls, data protection mechanisms, telemetry, and governance procedures. This created a secure landing zone for integrating the acquired eTMF into the core platform.

Phase 3: Gray-Box Pentesting of the Acquired eTMF’s Web App and API

ScienceSoft performed gray-box penetration testing of the web application and API of the regulatory documentation management solution (eTMF). For the test, the Client provided user and admin credentials. Our testers discovered five non-critical security issues, including security misconfigurations and vulnerable JavaScript libraries. ScienceSoft recommended the following corrective measures:

  • Implement missing HTTP security headers to prevent clickjacking, block MIME-type sniffing, and enforce HTTPS.
  • Update or replace outdated JavaScript libraries to close potential exploitation vectors.
  • Avoid disclosing detailed software version information to limit reconnaissance opportunities for attackers.
  • Add CAPTCHA protection to the Zendesk widget in the feedback form to prevent email abuse and spam campaigns.
  • Renew expiring SSL certificates to maintain encryption continuity and avoid browser warnings that could undermine user confidence.

The Client implemented the suggested security measures, which ScienceSoft verified with a re-test. This ensured that the integration of the acquired solution added new capabilities without introducing avoidable risks.

Security Assessments Helped Expand CTMS Without Compromising Strong Security and Compliance

ScienceSoft conducted gray-box penetration tests and cloud security reviews for a US provider of clinical trial management software. ScienceSoft examined the Client’s existing CTMS, its underlying AWS and Azure infrastructure, and an acquired regulation documentation management solution (eTMF). The security assessments’ findings strengthened the Client’s ability to:

  • Detect and investigate incidents faster by improving visibility into network activity, system changes, and security events across both cloud infrastructure and web apps.
  • Maintain HIPAA, FDA 21 CFR Part 11, and SOC 2 audit readiness with concrete evidence of access and change controls, encryption, and logging mechanisms.
  • Enhance cyber defenses, cutting the risk of data or user account compromise.
  • Limit insider risk and blast radius of a potential security incident through tighter identity and admin boundaries, reduced public exposure, and retirement of stale credentials.
  • Preserve data integrity and recovery options with safeguards that prevent silent tampering or irreversible deletion, enabling compliant retention, rollback, and dependable audit trails.
  • Ensure a secure, well-governed cloud foundation for the clinical trial platform by eliminating vulnerabilities on both AWS and Azure.

Technologies and Tools

Wireshark, Metasploit, Nessus, BurpSuite, Acunetix, SSLScan, WhatWeb, Nikto, Nmap, DirB, Postman, jwt_tool, hashcat, SQLmap, curl, Python, C, Perl.

Have a question to our team or need help with your project?

Our team is ready to provide client references, estimate your project, or answer any other question related to your IT initiative.

Upload file

Drag and drop or to upload your file(s)

?

Max file size 10MB, up to 5 files and 20MB total

Supported formats:

doc, docx, xls, xlsx, ppt, pptx, pps, ppsx, odp, jpeg, jpg, png, psd, webp, svg, mp3, mp4, webm, odt, ods, pdf, rtf, txt, csv, log

Get in touch instantly

Call us Email us WhatsApp Live chat