Trust, but verify
Perhaps we take the vendor’s word for it. Hopefully we can look at its track record for responding to major vulnerabilities that made the news in years past. But how do you know that the company’s fix worked? And how can you tell if there are other vulnerabilities in its code waiting to be exploited?
By making the software source code freely available for anyone, open-source software provides a level of transparency that traditional software providers don’t. Historically, open-source advocates have emphasized the freedom to install, run, and adapt the software. But open-source software also has an advantage in that anyone, at any time, can inspect and evaluate the underlying code.
4 reasons why open-source code is the smart choice
Recently, the University of Minnesota conducted a high-level security assessment of two open-source learning management systems (LMS), the software used by students and instructors every day for a variety of teaching and learning activities, including grading.
The report suggests four main takeaways:
1. An open-source LMS has an advantage for educational institutions in that the source code can be evaluated and tested for vulnerabilities at any time.
2. LMS providers must demonstrate a clear and deliberate security strategy that includes regular, internal evaluations and processes to safeguard data, such as SOC 2.
3. LMS providers should be able to deploy software updates automatically for all users when a problem is detected.
4. An LMS should be subject to regular, independent security evaluations that result in detailed public reports of findings. Making such reports open to the public not only provides transparency around discoveries, but it can also confirm that any vulnerabilities have been fixed.
These recommendations reflect our own beliefs and practices at Instructure around the security of educational technology. Open-source code provides necessary transparency and empowers people to conduct their own evaluations. Cloud architecture empowers us to apply patches live, without taking the service down, so that we can remediate unexpected vulnerabilities ASAP.
Internal policies and practices are critical, but not enough—Instructure engages in open, annual security audits of our Canvas LMS by independent security experts. And we make the reports of these audits publicly available on our website, so that even if you can’t dig into the Canvas source code yourself, you can still understand its level of security.