Educause Security Discussion mailing list archives
Re: Potential Security Risks in OpenSource LMS environments
From: John Ellingsworth <john () ELLINGSWORTH ORG>
Date: Wed, 15 Jul 2009 18:59:58 -0400
"slow to patch" is pure FUD. A search for 'bug tracker' on each FOSS app you list show the following first hit for each: FOSS: http://tracker.moodle.org/browse/MDL http://jira.sakaiproject.org/secure/Dashboard.jspa http://www.atutor.ca/development/bugs/ Blackboard, nothing helpful: http://www.google.com/search?q=blackboard+bug+tracker This one: http://www.google.com/search?q=blackboard+vulnerability Shows numerous postings from an individual trying to determine how & where to report a vulnerability and not finding an answer. While the above would not be the only determinant in assessing the feasibility of any one product, I would consider the openness of bug & security vulnerabilities as crucial to determining risk factor. Look at the release cycle for each; look at the roadmap for each; look at the issue reporting structure for each. Do they align with publicly accessible information? IS the information available? Check the vulnerability databases: http://secunia.com/advisories/product/ Therein will you find the risk factors, not in FUD. Due diligence can and will be a slow process - especially when information is not readily available. Vendor PR is no substitute for the facts. Regards, John Ellingsworth On Wed, Jul 15, 2009 at 5:10 PM, Cathy Hubbs<hubbs () american edu> wrote:
Kees, thank you for sharing your experiences, this is exactly what I am trying to uncover. Many Universities are making the shift to Open Source LMS environments, most from what I hear, for cost savings and a perception of a richer feature set, and I'm sure there are more reasons than these. When making the decision to make the LMS shift, considerations such as TCO need to be thoroughly researched and shared with our business officers another consideration (the one I am posing) is, are there any additional risks to potentially sensitive data sets that may be more prevalent in the Open Source environment verses the Commercially supported environment. Commercial proponents often point to "slow to patch" as the big risk factor, I'm looking to see if there are any other considerations. If anyone else has experience comparing risks in LMS environments (opensource vs Commercial) I am still interested. Happy to receive a phone call too. Thanks in advance. Cathy Hubbs, Chief Information Security Officer American University Washington, DC 202.885.3998 Kees Leune <LEUNE () ADELPHI EDU> Sent by: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> 07/15/2009 02:49 PM Please respond to The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> To SECURITY () LISTSERV EDUCAUSE EDU cc Subject Re: [SECURITY] Potential Security Risks in OpenSource LMS environmentsOn 7/14/2009 at 5:26 PM, in message<OFCA6EF495.D93D6FB8-ON852575F3.0075B517-852575F3.0075F0F5 () american edu>, Cathy Hubbs <hubbs () AMERICAN EDU> wrote:In thinking about the move toward Open Source Learning Management Systems (i.e., Moodle, Sakai, ATutor, etc., etc.) from Blackboard... Has anyone encountered or addressed potential security risks/concerns that may be more prevalent in the Open Source LMS environment vs the COT LMS? 1. Timeliness of Patch DeploymentWe have just completed the transition from Blackboard to Moodle and we have been very happy with it. The few times that vulnerabilities were discovered, they were patched very quickly.2. More difficulty protecting data stores (i.e., distributed, the potential for DBs on individual Faculty workstation)I do not see how Moodle vs. Blackboard would be different in that--- all data resides on the server; faculty members can always make local copies of the information to which they have access, but that is true for Blackboard also. Our general experience is that we have less downtime with Blackboard than we have with Moodle and that Faculty, Students and Administration are happier with it than they were with Blackboard. Moodle has been tied in to our authentication infrastructure, and very detailed logging has helped me in investigations in the past. Hope this helps, Kees -- Dr. Kees Leune Information Security Officer Adelphi University Garden City, NY +1 (516) 877-3936
Current thread:
- Potential Security Risks in OpenSource LMS environments Cathy Hubbs (Jul 14)
- <Possible follow-ups>
- Re: Potential Security Risks in OpenSource LMS environments Kees Leune (Jul 15)
- Re: Potential Security Risks in OpenSource LMS environments Cathy Hubbs (Jul 15)
- Re: Potential Security Risks in OpenSource LMS environments John Ellingsworth (Jul 15)
- Re: Potential Security Risks in OpenSource LMS environments Jim Dillon (Jul 20)