I want be very careful and cautious when talking about how to best identify and remediate security vulnerabilities in our learning management systems (LMS). The security of our LMS platforms is too important a topic in which to draw conclusions or recommendations in the absence of expert recommendations and an informed discussion.
What I want to talk about is Instructure's public call for Blackboard and Desire2Learn to conduct an annual public security audit. You can read this challenge from Josh Coates, Instructure's CEO, over at the Instructure blog.
Josh describes the reasons why he had his company invest the resources to undertake a public security audit, and why he believes that this should be an industry wide practice.
I also strongly recommend reading Phil Hill's Analysis of Instructure Security Testing on the e-Literate blog.
Phil provides a very balanced treatment around the pros and cons of LMS vendors conducting public security audits. Phil comes out in favor of audits such as Instructure conducted (for reasons he goes into depth explaining), but recognizes that:
"One downside of public security assessments is that the act of publicizing results can in fact increase the likelihood that vulnerabilities would be exploited by hackers. As one executive from a competitive LMS put it to me, we need to focus on security consistently and not as a once-a-year exercise. Any public exposure of vulnerabilities can increase the likelihood of hackers exploiting those vulnerabilities, so the trick is to not disclose specific pathways to exploitation."
I have 3 reactions to this issue after reading Coates' and Hill's posts:
1. A Need for Discussion: I don't know enough to judge if Instructure and Phil Hill are correct, and that Blackboard and D2L should conduct a public security assessment. But I'm curious. A positive, collegial, and supportive discussion of the pros and cons of this method would be beneficial and educational.
2. A New Social Media Communications Regime: Whatever the merits of doing a public security assessment, we should acknowledge that social media has changed the rules of how companies communicate. The fact that the CEO of Instructure could make a public call for an industry standard, bypassing traditional media or conferences, represents a shift in how communications is handled. I don't think we understand the implications of this shift, in terms of risk or benefits, but it is important that we all engage this new world of communication.
3. A Need for Collegiality: Competition is great. It drives us all to do better work, improves our products, and lowers prices. But I think we have a good deal of room for constructive collegiality within our ed tech sector. The norms of education are open, collegial, and supportive. We should approach each other assuming that we have good motives, pro-education motives, and be willing to listen to each other rationales and reasons for our technology and business decisions. We would all be better off if the major ed tech providers competed ferociously, but have an opportunity to have a public dialogue. Maybe this issue could be a place to begin?
What are your thoughts?