Second Annual Open Security Audit
It’s that time of year again when we push the envelope in openness and security by walking the walk and publishing the results of our third-party security audit. Not surprisingly, our friends at Blackboard and Desire2Learn continue keeping their security audits closed.
Hey D2L and Blackboard, olly olly oxen free.
If you’re unfamiliar with our annual open security audit, a year ago we challenged Blackboard and Desire2Learn to conduct open security audits. No one responded. We believe open security audits are important for the industry and hiding problems is not going to fix anything, so we’re pushing forward undeterred.
Highlights of the 2012 Audit
Over the last several weeks we’ve been conducting our 2012 security audit of Canvas and its underlying architecture. For the audit, an outside security agency is hired to look for ways to exploit and penetrate Canvas. As possible vulnerabilities are discovered, they share them with us and we fix them. The results are in and we’re happy to share.
Security auditors hard at work.
In the audit, the security company found two somewhat severe issues, one in Canvas itself and one in the underlying libraries we use. Those were both fixed the same day and bulletins were issued. Several minor issues were fixed in the 11/24 release and a couple more smaller issues will be fixed in the upcoming 12/22 release.
Again, for the good of the industry and for the security of all LMS users, we invite our friends at Blackboard (including MoodleRooms) and Desire2Learn to back up their claims of openness and join us in conducting annual open security audits. Guys, if it’s a money thing, we’re happy to pay for the audit for you.* Just shoot me an email and we’ll take care of it: firstname.lastname@example.org.
* We’ll pay for the audit of the latest version of your LMS by a neutral third party of our choosing. For reals. Don’t be scared or embarrassed! Everyone has security issues that come up from time to time. Let’s find them, fix them and be open about it.
blog comments powered by