Canvas’ Fifth Annual Open Security Audit

Have you ever heard the saying, “Good things come to those who wait," or “Better late than never," or “Your head’s in the clouds"? Well, all of those adages apply to the results of the 2015 web application security assessments for Canvas.

And boy, was it worth the wait!

This year (like last year) we partnered with Bugcrowd, the leader in crowdsourced application security testing, to publish the most comprehensive security assessment we’ve produced in our five year history.

In 2014, Bugcrowd security researchers identified 59 issues within Canvas. And in 2015, they found only 10—that’s right, 49 fewer than the previous year!

So what happened? Did Canvas become five times more secure? Did we stop writing code or deploying changes to the Canvas platform? Did magical, security-minded code elves come along and give us a Defender Aura?

No, none of those things happened (although a Defender Aura is a great thing to have in your bag of holding). What did happen is that our entire Canvas product development team, from concept to operations, became even more aware and focused on providing the most secure products and services possible.

You could say we continue to experience a cultural revolution in how we act and respond to security in the cloud.

This cultural and procedural maturing are the results of our overall security strategy to achieve continuous improvement through “persistent, adaptive diligence.” By constantly assessing ourselves, openly discussing security issues, and being willing to alter our product designs, functionality, or timelines, we ensure that our culture of security permeates our product delivery pipeline.

At Instructure, we are keenly aware that securing our customers’ data is of paramount importance, especially as the threats continue to mount on the internet. According to the 2016 Data Breach Investigations Report (DBIR) published by Verizon, data breaches continue to experience year over year growth, largely driven by increases in social engineering and malware-based attacks.

This means it’s more important than ever to have a comprehensive security strategy, which includes concepts like “defense in depth,” “offense is the best defense” (hack yourselves/chaos monkeys), and “transparency is the best policy.”

That last point is why we make our annual assessment results public. We believe it’s important to take the discussion about security out of the meeting room, and into the public forum. Is there risk in doing this? Sure, but in our opinion, not talking about security is far more risky.

So, we’ll keep talking about it, hoping you’ll keep listening—and hoping that our competitors will join us in this increasingly important discussion.

You can check out the entire report by clicking here

 

Keep learning,
Q. Wade Billings
VP, Technology Services