<h1>Extra Credit: The Canvas Blog</h1>
Canvas-Blog-divider.png

Dec 21, 2012

By Josh Coates

Second Annual Open Security Audit

It’s that time of year again when we push the envelope in openness and security by walking the walk and publishing the results of our third-party security audit. Not surprisingly, our friends at Blackboard and Desire2Learn continue keeping their security audits closed.

HidingHey D2L and Blackboard, olly olly oxen free.

If you’re unfamiliar with our annual open security audit, a year ago we challenged Blackboard and Desire2Learn to conduct open security audits. No one responded. We believe open security audits are important for the industry and hiding problems is not going to fix anything, so we’re pushing forward undeterred.

Highlights of the 2012 Audit
Over the last several weeks we’ve been conducting our 2012 security audit of Canvas and its underlying architecture. For the audit, an outside security agency is hired to look for ways to exploit and penetrate Canvas. As possible vulnerabilities are discovered, they share them with us and we fix them. The results are in and we’re happy to share.

AuditorsSecurity auditors hard at work.

In the audit, the security company found two somewhat severe issues, one in Canvas itself and one in the underlying libraries we use. Those were both fixed the same day and bulletins were issued. Several minor issues were fixed in the 11/24 release and a couple more smaller issues will be fixed in the upcoming 12/22 release.

Again, for the good of the industry and for the security of all LMS users, we invite our friends at Blackboard (including MoodleRooms) and Desire2Learn to back up their claims of openness and join us in conducting annual open security audits. Guys, if it’s a money thing, we’re happy to pay for the audit for you.*  Just shoot me an email and we’ll take care of it: josh@instructure.com.

Keep learning,

josh

* We’ll pay for the audit of the latest version of your LMS by a neutral third party of our choosing. For reals. Don’t be scared or embarrassed! Everyone has security issues that come up from time to time. Let’s find them, fix them and be open about it.

blog comments powered by Disqus