Re: Potential Security Risks in OpenSource LMS environments

[John Ellingsworth <john () ELLINGSWORTH ORG>]

 "slow to patch" is pure FUD.

A search for 'bug tracker' on each FOSS app you list show the
following first hit for each:

FOSS:
http://tracker.moodle.org/browse/MDL
http://jira.sakaiproject.org/secure/Dashboard.jspa
http://www.atutor.ca/development/bugs/

Blackboard, nothing helpful:
http://www.google.com/search?q=blackboard+bug+tracker

This one:
http://www.google.com/search?q=blackboard+vulnerability

Shows numerous postings from an individual trying to determine how &
where to report a vulnerability and not finding an answer.

While the above would not be the only determinant in assessing the
feasibility of any one product, I would consider the openness of bug &
security vulnerabilities as crucial to determining risk factor.

Look at the release cycle for each; look at the roadmap for each; look
at the issue reporting structure for each.   Do they align with
publicly accessible information?  IS the information available?

Check the vulnerability databases:
http://secunia.com/advisories/product/

Therein will you find the risk factors, not in FUD.

Due diligence can and will be a slow process - especially when
information is not readily available.  Vendor PR is no substitute for
the facts.

Regards,

John Ellingsworth




On Wed, Jul 15, 2009 at 5:10 PM, Cathy Hubbs<hubbs () american edu> wrote:
> Kees, thank you for sharing your experiences, this is exactly what I am
> trying to uncover.
>
> Many Universities are making the shift to Open Source LMS environments, most
> from what I hear, for cost savings and a perception of a richer feature set,
> and I'm sure there are more reasons than these. When making the decision to
> make the LMS shift, considerations such as TCO need to be thoroughly
> researched and shared with our business officers another consideration (the
> one I am posing) is, are there any additional risks to potentially sensitive
> data sets that  may be more prevalent in the Open Source environment verses
> the Commercially supported environment. Commercial proponents often point to
> "slow to patch" as the big risk factor, I'm looking to see if there are any
> other considerations.
>
> If anyone else has experience comparing risks in LMS environments
> (opensource vs Commercial) I am still interested. Happy to receive a phone
> call too.
>
> Thanks in advance.
>
>
> Cathy Hubbs,
> Chief Information Security Officer
> American University
> Washington, DC
> 202.885.3998
>
>
>
> Kees Leune <LEUNE () ADELPHI EDU>
> Sent by: The EDUCAUSE Security Constituent Group Listserv
> <SECURITY () LISTSERV EDUCAUSE EDU>
>
> 07/15/2009 02:49 PM
>
> Please respond to
> The EDUCAUSE Security Constituent Group Listserv
>  <SECURITY () LISTSERV EDUCAUSE EDU>
> To
> SECURITY () LISTSERV EDUCAUSE EDU
> cc
> Subject
> Re: [SECURITY] Potential Security Risks in OpenSource LMS environments
>
>
>
>
> > > > On 7/14/2009 at 5:26 PM, in message
> <OFCA6EF495.D93D6FB8-ON852575F3.0075B517-852575F3.0075F0F5 () american edu>,
> Cathy
> Hubbs <hubbs () AMERICAN EDU> wrote:
> > In thinking about the move toward Open Source Learning Management Systems
> > (i.e., Moodle, Sakai, ATutor, etc., etc.) from Blackboard...
> >
> > Has anyone encountered or addressed potential security risks/concerns that
> > may be more prevalent in the Open Source LMS environment vs the COT LMS?
> >
> > 1. Timeliness of Patch Deployment
>
>
> We have just completed the transition from Blackboard to Moodle and we have
> been very happy with it. The few times that vulnerabilities were discovered,
> they were patched very quickly.
>
>
> > 2. More difficulty protecting data stores  (i.e., distributed, the
> > potential for DBs on individual Faculty workstation)
>
>
> I do not see how Moodle vs. Blackboard would be different in that--- all
> data resides on the server; faculty members can always make local copies of
> the information to which they have access, but that is true for Blackboard
> also. Our general experience is that we have less downtime with Blackboard
> than we have with Moodle and that Faculty, Students and Administration are
> happier with it than they were with Blackboard. Moodle has been tied in to
> our authentication infrastructure, and very detailed logging has helped me
> in investigations in the past.
>
> Hope this helps,
>
> Kees
> --
>
> Dr. Kees Leune
> Information Security Officer
> Adelphi University
> Garden City, NY
> +1 (516) 877-3936