Some Secrets Hurt

Keeping Vulnerabilities Secret Doesn't Make Them Go Away

Currently, every major LMS in the market keeps their vulnerabilities and security flaws a secret. The problem is, keeping these flaws secret doesn't make them go away. These kinds of secrets put students, faculty and institutions at risk.

Hey guys, please don't be this way.Hey guys, please don't be this way.

So back in November we decided to be the first LMS company to do an open security audit and we invited a 3rd party observer (Phil Hill) to document the process. And yes, the major security problems reported about Blackboard prompted the idea behind this open security audit. Fundamentally, hiding security vulnerabilities in the LMS decreases the likelihood they will be repaired and increases the likelihood that they will be exploited. The idea of openness in security is almost universally embraced by the academic and commercial security vendors as a method for increasing security.1, 2, 3, 4

As such, we see no reason why all LMS providers in the market shouldn't provide open security audits on an annual basis. We're not asking for the stars and the moon, we’re simply asking the LMS industry to prove their claims of compliance in the open.

Blackboard, D2L, and Instructure - with annual open security audits, we can all be winners!Blackboard, D2L, and Instructure - with annual open security
audits, we can all be winners!

The Cost of Open Security Audits

So what's the downside? Time, money and inconvenience.

Open security audits cost LMS providers money. An audit costs somewhere around $40,000. Out of the hundreds of millions of dollars that the major LMS providers bring in every year, we think this cost is not a burden when compared with the benefit of keeping educational institutions safe.

Open security audits cost LMS providers engineering time. If they need to publish a vulnerability report, they will likely want to fix the vulnerabilities before they publish the report. This will require some effort on their part to make their software as secure as they claim it is in their marketing literature. The challenge here is that if there are multiple software versions supported, then tracking security issues across version can be a complex process. In this case, native cloud systems have a distinct advantage when it comes to security management.

Open security audits are inconvenient for LMS providers because they could be embarrassing and leave no room for dodging accountability. It's easier to pretend that everything is fine, and that the "internal" security audits or closed 3rd party audits are sufficient. The problem is that you never know if these audits are complete or if the security vulnerabilities found are fixed in a reasonable amount of time.

As an educational institution, the questions that need to be asked are:

  • Would you rather have that next neat feature in the next version of your LMS or would you rather know for sure that the gaping security hole has been repaired?
  • And how will you know that these security holes aren't being kept secret from you by your vendor?

The Challenge

John Baker, CEO of Desire2Learn, why don't you do an annual public security audit?

Michael Chasen, CEO of Blackboard and Ray Henderson, President of Blackboard Learn, why don't you do an annual public security audit?

In the spirit of efficiency, let me help out here with the response. It seems to me, that the four possible responses to this challenge are as follows:

A) I'm going to ignore this call for an annual open security audit.

B) I'm going to make a noncommittal statement about how important security is, reference security bulletins we've published in the past, and say that's good enough or have a spokesperson do it for me.

C) I'm actually going to walk the walk and do an annual public audit because keeping educational institutions and students safe is more important than the potentially embarrassing security flaws that could be revealed through the audit.

D) I'm not going to do it, because my engineering team is incapable of making our software secure, so I'm going with option A and/or B.

Let's make a commitment to education that we will be open, honest, and accountable for the security of their faculty and students. Together we can make the edutech industry the most secure and open tech sector.

Okay guys, it's your move.

How seriously do you take the security of your customers?



Bruce Schneier, "Secrecy, Security, and Obscurity"

Randy Bush, Steven M. Bellovin, "Security Through Obscurity Dangerous"

Seth Ross, "Security Through Usability" Securius Vol 4, 1

Whitfield Diffie, "Perspective: Decrypting the secret to strong security"