Instructure Security Mid-Term

Instructure has engaged Securus Global to test the Canvas LMS product for security vulnerabilities.  Instructure has also invited me to be an independent observer – participating in the process and independently reporting on the testing and Instructure’s response to any vulnerabilities identified.  Part 1 of this series of posts describes the concept.  In this post, I’ll give a mid-term update, describing the process involved and initial results.  In the next post I’ll describe the full results of the security testing.  I’ll try to keep my actual analysis in the final post, after I have objectively described the process and results.

The purpose of the testing was to validate and review the Canvas LMS design and implementation with respect to vulnerabilities that could be exploited by a motivated hacker.  Securus employed security experts to ethically hack a test environment to try and identify specific vulnerabilities, working from the perspective of both an unauthorized user and an authorized user.  There was a range of exploits tested, but the basic idea is to find out if someone could access information or functionality that should be protected by system functionality including role-based security.