Canvas’ Third Annual Open Security Audit

2013 was a rough year for data security and privacy. In the last 12 months, 2 million Facebook, Gmail, and Twitter passwords were stolen in a massive hack, nearly 40 million Target customers’ credit and debit card numbers were stolen, 250,000 Twitter user emails and passwords were compromised, data for 3 million Adobe customers’ credit cards was stolen, and the list continues with names like LivingSocial, Evernote, Federal Reserve Bank, and the U.S. Department of Homeland Security all having breaches that affected hundreds of millions of people.

Security CameraAn open security audit would have
caught this problem.

With all this evidence about the importance of security, we’re even more committed to doing everything we can to maintain and improve security in Canvas. For anyone who doesn’t know about our M.O. when it comes to security audits, take a minute and read about our first and second audits.

To be clear, we are continually performing security audits on Canvas. Occasionally, our customers even call for their own third-party audits, which we fully support. But once a year, we bring in a third party for an annual public audit, which helps us remain objective and committed to the security of your information.

This year we retained the company Secure Ideas, a network security consulting firm based in Orange Park, Florida. Their security consultants have spent years researching various exploits and vulnerabilities, building toolsets, and helping organizations secure their networks.

T-shirtThe security t-shirt of destiny.

This year’s audit started in November 2013. Secure Ideas spent three weeks doing penetration testing and conducting a general review of Canvas’ security architecture. They presented their findings in this Final Summary Report. In short, they found 0 critical, 1 high, 1 medium, and 2 low priority vulnerabilities. Details of fixes can be found in our Security Notes Forum.

The security of your information is important to us. In the past, users and customers have notified us of perceived security threats either via support tickets or in our security forum. We welcome these notices and often reward them with a note of thanks and an awesome Instructure security t-shirt. We may not always be perfect, but we’re trying to be.

And, as always, for the good of the industry and for the security of all LMS users, we invite our friends and competitors to back up their claims of openness and to finally join us in conducting their own annual open security audits.

Keep learning,