Instructure has engaged Securus Global to test the Canvas LMS product for security vulnerabilities.  Instructure has also invited me to be an independent observer – participating in the process and independently reporting on the testing and Instructure’s response to any vulnerabilities identified.  Part 1 of this series of posts described the concept.  Part 2 gave a mid-term update, describing the process involved and initial results.  In this post I’ll describe the full results of the security assessment.  I’ll add my actual analysis in the final post.

The purpose of the testing was to validate and review the Canvas LMS design and implementation with respect to vulnerabilities that could be exploited by a motivated hacker.  Securus employed security experts to ethically hack, both manually and with automated tools, a test environment to try and identify specific vulnerabilities, working from the perspective of both an unauthorized user and an authorized user.  There was a range of exploits tested, but the basic idea is to find out if someone could access information or functionality that should be protected by system controls including role-based security.


You must be a subscriber to one of our EdTech Market Analysis plans to view this page.