Cloud-based LMS challenges Blackboard to major security review

Blackboard said its security holes were 'common issues.'

A relatively new kid on the learning management system (LMS) block has jabbed Blackboard Inc. in the chest for three months, daring the commercial LMS behemoth to conduct a publicly available security audit of its popular platform. Blackboard, so far, has ignored the challenge.

Josh Coates, CEO of Instructure, a cloud-based LMS that counts several large campuses among its customers, used a Jan. 24 blog post to challenge the heads of Blackboard, Blackboard Learn, and Desire2Learn to hire a third party to conduct a comprehensive security audit, fix the security shortcomings found in that audit, and publish the results for everyone to see.

Ninety days later, Coates has yet to receive a reply to his audit proposal, and eCampus News interview requests sent to Blackboard and Desire2Learn went unanswered.

“This is something we should all agree on. We don’t have to be competitive about this,” Coates, founder of online backup service Mozy, said of Instructure’s audit challenge. “This is good for the industry, to be safe and secure. But when we asked, all we heard were crickets chirping. I got complete silence.”

Instructure’s own security audit, conducted by Australia-based Securus Global, turned up a few security holes in the cloud-based LMS service.

Those security lapses—which could leave the platform open to hackers or botnets trolling the web for student and faculty information—were quickly fixed, Coates said.

“I want to work together [with other LMS companies] to make students and teachers and administrators feel more secure about how their data is being protected,” Coates said, adding that an LMS security audit would cost about $40,000. “Of course they’ll find some security holes, but they need to put it out in the sunlight.”

Blackboard officials countered reports of security shortcomings published in a September 2011 SC Magazine article, which charged that Blackboard’s LMS vulnerabilities made it possible for students to change their grades and hackers to steal personal information.

An unnamed Australian university hired Securus Global to hack into its Blackboard LMS platform. Securus was successful, accessing databases that served as home to student grades and personal data.

“Many of these issues are common issues associated with any type of web application or software, and all of the issues will be addressed through existing patches and planned releases,” Stephanie Tan, Blackboard Learn’s security director, said in an interview with SC Magazine.

Anne Jenkins, a Blackboard spokeswoman, said Securus “was able to gain access to their database due to an improper configuration of a security control, which we advised them about immediately.”

Tan told SC Magazine that the vulnerabilities wouldn’t be patched until an update was ready at the end of 2011.

The flexibility of a cloud-computing-based LMS, Coates said, helps to streamline the patching of security holes found during audits.

"(Required)" indicates required fields