In the fall of 2011 I made the following argument:
We need more transparency in the LMS market, and clients should have access to objective measurements of the security of a solution. To paraphrase Michael Feldstein’s suggestions from a 2009 post:
- There is no guarantee that any LMS is more secure just because they say they are more secure
- Customers should ask for, and LMS vendors should supply, detailed information on how the vendor or open source community has handled security issues in practice
- LMS providers should make public a summary of vulnerabilities, including resolution time
I would add to this call for transparency that LMS vendors and open source communities should share information from their third-party security audits and tests. All of the vendors that I talked to have some form of third-party penetration testing and security audits; however, how does this help the customer unless this information is transparent and available? Of course this transparency should not include details that would advertise vulnerabilities to hackers, but there should be some manner to be open and transparent on what the audits are saying. [new emphasis added]
Inspired by fall events and this call for transparency, Instructure (maker of the Canvas LMS) decided to hold an public security audit using a white hat testing company, where A) the results of the testing would be shared publicly, and B) I would act as an independent observer to document the process. The results of this testing are described in two posts at e-Literate and by a post at Instructure.
Instructure has kept up the practice and just released their third public security audit.
To be clear, we are continually performing security audits on Canvas. Occasionally, our customers even call for their own third-party audits, which we fully support. But once a year, we bring in a third party for an annual public audit, which helps us remain objective and committed to the security of your information.
This year we retained the company Secure Ideas, a network security consulting firm based in Orange Park, Florida. Their security consultants have spent years researching various exploits and vulnerabilities, building toolsets, and helping organizations secure their networks.
This year’s audit started in November 2013. Secure Ideas spent three weeks doing penetration testing and conducting a general review of Canvas’ security architecture. They presented their findings in this Final Summary Report. In short, they found 0 critical, 1 high, 1 medium, and 2 low priority vulnerabilities. Details of fixes can be found in our Security Notes Forum.
No other LMS vendor has taken up this call for public security testing to my knowledge, and I attempted to describe some of the arguments against the practice here.
While I obviously have not had the same insight into the second and third annual public audits (you can review the results in the public report), I am impressed to see that the company has kept their word.
As such, we see no reason why all LMS providers in the market shouldn't provide open security audits on an annual basis.
I still think it would help the market in general if more LMS providers adopted this practice of public security audits - it would be useful for higher ed clients and it would be good for the providers themselves.