Instructure has had a very interesting reaction to the news and blogs about security vulnerabilities with Blackboard's Learn LMS several months ago. They have decided to engage Securus Global, the same firm that did the ethical hacking for the Australian universities in the Blackboard investigation, to test Instructure's Canvas LMS product. They have also invited me to be essentially an embedded reporter - participating in the process and independently reporting on the testing and Instructure's response to any vulnerabilities identified.
While doing research for a my post analyzing Blackboard's response to the reports of security vulnerabilities, I had the opportunity to interview several LMS vendors to get background on their philosophies and practices around security. I think it is important to understand how the broader LMS market is handling security concerns, especially as the LMS has become such a central part of the an institutions' academic operations.
In the post I argued that we need more transparency in the LMS market.
We need more transparency in the LMS market, and clients should have access to objective measurements of the security of a solution. To paraphrase Michael Feldstein’s suggestions from a 2009 post:
- There is no guarantee that any LMS is more secure just because they say they are more secure
- Customers should ask for, and LMS vendors should supply, detailed information on how the vendor or open source community has handled security issues in practice
- LMS providers should make public a summary of vulnerabilities, including resolution time
I would add to this call for transparency that LMS vendors and open source communities should share information from their third-party security audits and tests. All of the vendors that I talked to have some form of third-party penetration testing and security audits; however, how does this help the customer unless this information is transparent and available. Of course this transparency should not include details that would advertise vulnerabilities to hackers, but there should be some manner to be open and transparent on what the audits are saying.
Securus Global is a global security company that helps clients interested in "quality security advisory, assessment and assurance services". Although they perform the full range of security consulting that includes strategy and management, Securus is best known for their testing engagements. In this context, they can test applications and systems for security vulnerabilities and advise clients on how to improve security. Typically ~90% of their work is for clients of an application (e.g. the Australian universities wanting to verify if their LMS has vulnerabilities), rather than the 10% where the work is for the application vendor themselves. It is preferable for the vendor to do their own testing up front, but at least for Securus Global customers it is usually the application client who requests the service.
To Instructure's credit, they are asking for the testing before clients have reason to request these tests. Furthermore, with this embedded reporter concept, Instructure is taking the additional step and risk of not controlling the message. Securus indicated that this was the first time they had a vendor include an independent party in this manner. They congratulated Instructure for their bold approach, although using more colorful language.
Let's be clear - we do not know what the results of this testing will be and whether it will look good, bad or indifferent for Instructure. Securus has indicated that the vast majority of testing results in some level of critical vulnerabilities. As noted in my original post:
In the interviews, all LMS vendors acknowledged that no web-based software is perfect and you should always expect some vulnerabilities. The issue should not just be on whether there are vulnerabilities, but perhaps more importantly, on how a company or organization responds to a security vulnerability or incident.
Based on my call for more transparency, how could I refuse the offer? Here is a vendor who is willing to have information shared from a third-party security test and to not even control the reporting of this information.
I am receiving nothing for this offer other than the chance to practice what I preach about transparency. While I assume that Instructure will have their own description of the process and results, I will keep my writing independent. I will get input from Securus to ensure that the testing and reporting do not jeopardize any of Instructure's clients, which could affect the timing of my posts.
The result will be a series of posts reporting on this process over the next few weeks - both the results of the testing and analysis of Instructure's response to the results. We have already had a conference call introducing me to the Securus team doing the testing, and I will be allowed to review reports coming from Securus, participate in phone calls where Securus shares results of testing, and follow-up directly with Securus without Instructure's involvement where appropriate.