Instructure has engaged Securus Global to test the Canvas LMS product for security vulnerabilities.  Instructure has also invited me to be an independent observer – participating in the process and independently reporting on the testing and Instructure’s response to any vulnerabilities identified.  Part 1 of this series of posts describes the concept.  In this post, I’ll give a mid-term update, describing the process involved and initial results.  In the next post I’ll describe the full results of the security testing.  I’ll try to keep my actual analysis in the final post, after I have objectively described the process and results.
The purpose of the testing was to validate and review the Canvas LMS design and implementation with respect to vulnerabilities that could be exploited by a motivated hacker. Â Securus employed security experts to ethically hack a test environment to try and identify specific vulnerabilities, working from the perspective of both an unauthorized user and an authorized user. Â There was a range of exploits tested, but the basic idea is to find out if someone could access information or functionality that should be protected by system functionality including role-based security.
There are two particular viewpoints that have led to my interest in this independent observer role.
- No enterprise software platform is perfect and you should always expect some vulnerabilities. Â The issue should not just be on whether there are vulnerabilities, but perhaps more importantly, on how a company or organization responds to a security vulnerability or incident.
- I have called for transparency from LMS vendors and open source communities, arguing that they should share information from their third-party security audits and tests.
Two aspects of the Canvas LMS are particularly relevant for this discussion.
- Canvas is a Software-as-a-Service (SaaS) platform, also known as multi-tenant platform. Â In this setup, Canvas is run “in the cloud” where all paying customers share the same instance of the LMS. Â This is the same model as Amazon, Facebook, iTunesU, as well as many of the newer LMS solutions. Â Because of this model, there is one deployment of software in production that customers share.
- Canvas is a commercially open source. Â Instructure controls and updates the code base, but the source code is freely available and can be downloaded or used by non-paying customers. Â Additionally, paying customers obviously have full access to see the source code.
Testing Process
The testing took place from approximately November 7 – 25, 2011. Â During this timeframe, Securus had full access to the test environment, including access to the LMS source code (not only the officially open source code, but also the closed source plugins where needed). Â Additionally, Securus requested and had access to certain system error log files. Â The source code and error logs could be useful to identify hidden attack pathways.
Each identified vulnerability was rated by Securus as Critical, High, Moderate, Low or Informational Purposes – in decreasing order of risk severity. Â Instructure uses a different system of Highly Critical, Less Critical, etc in their security advisories, but I will keep my descriptions based on the severity levels identified by Securus.
During the testing, we had conference calls roughly once a week, where I was able to participate and hear the results-to-date, questions, and general discussion. Â In addition to the verbal updates by phone, Securus provided an interim written update on November 16th that identified several vulnerabilities that had been identified. Â The draft final report was delivered on November 28th, and the final report should be published shortly.
My descriptions lag the actual testing dates to avoid publicizing vulnerabilities before there are remediations – while I am interested in transparency, there is no need to increase risk by reporting on issues that have not been addressed.
The mid-term results provided on November 16th did identify several vulnerabilities. Â These vulnerabilities were described in more detail in the final report, which I’ll cover in a future report, but there is one issue that is worth relating ahead of time.
The testing “identified a SQL injection attack vector in the file re-ordering capability, available in the users file area and the course/group file areas” (from the subsequent security advisory posted by Instructure). Â This issue was deemed by both Securus and Instructure to be Critical severity that could lead to manipulation of data, exposure of sensitive information, and privilege escalation (users gaining access to a more information and functionality than should be allowed based on their role).
Due to the critical nature of the SQL injection vulnerability, Instructure took the step of developing a fix, testing and deploying to the production server and open source code base approximately 24 hours after the mid-term report.
The mid-term update also identified three other vulnerabilities which appear to be Moderate or Low severity. Â I’ll describe the actual vulnerabilities and remediations in a future post.
Update: Â Fixed dates of testing period
I just can’t believe none of the LMS system tests for system security when they release each version. I think Instructure won’t even think about such testing if the Blackboard security incident didn’t occur.
Whilst I appreciate the general spirit in which this initiative is being conducted and welcome the light that is being shone on LMS security, I have to say lets revisit this issue when Instructure has been in the game for a decade or more, has hundreds of clients and proactively mitigates bad publicity in all manner of circumstance. Kudos to them for being out there though but let’s well how well they live up to the benchmark they are setting.
We set down some rules before we accepted to do this job.
For us, we were not into marketing but acknowledge, it may well turn out that way. Good luck to them!
Smart business! Doesn’t matter if it wasn’t there before, it is now.
We have never been involved in such a scenario with a journo reporting as we go, and we were wary of potentially being used from a marketing perspective. We put this scenario out to the Infosec industry and did not get a response that anyone had done this before.
Check our Twitter @securusglobal. All we got was big cred to Instructure for doing it!
It surprised me that they were open to it. I called them “brave” on Twitter because we “own” sites we test for the first time. And as you can see, we did!
But cred to the guys, they put their money where their mouth was and reacted and reacted quick and fixed it and continue to fix it!
Don’t read anything into the fact that they had problems.
95%+ of sites we test the first time have critical problems.
It’s how people respond is the key.
Instructure did a first! A live/semi-live security test! That was ballsey!
And to the questions above, they’ve told us, their commitment to ongoing testing is there. While our test is a single point in time and things always change, they’ve put it out there and you can always ask us if they are still doing it!
As someone who uses Canvas to teach a University course and a IT professional, I am impressed with this proactive approach that Instructure is taking. It is refreshing!