Blackboard strives to be vigilant at building security into its products and providing prompt and carefully tested product updates. Customers can have confidence that Blackboard is following industry-accepted security practices. Blackboard develops Blackboard Learn™ according to a set of security engineering guidelines derived from many organizations such as the Open Web Application Security Project (OWASP), including specific countermeasures for OWASP Top Ten vulnerabilities. Blackboard incorporates these security practices in all phases of the software development lifecycle (SDLC).
Blackboard utilizes several methods to protect our applications including "top-down" security assessments through Threat Modeling and analysis as well as "bottom-up" code-level threat detection through static analysis, dynamic analysis, and manual penetration testing.
Blackboard follows best practice guidance from many organizations to help strengthen the security of Blackboard Learn's product and program. A few organizations are noted here:
- National Institute of Standards and Technology (NIST)
- European Network and Information Security Agency (ENISA)
- SANS Institute
- Open Web Application Security Project (OWASP)
- Cloud Security Alliance (CSA)
For specific system control recommendations, see the “Best Practices” block below.
In addition to these best practices and the specific security recommendations provided in the section below, please also refer to the security recommendations at the following Help Sites:
- Access Controls:
- Audit and Logging Management
Security threats and countermeasures surrounding Learning Management Systems are ever-changing. Thus, Blackboard regularly assesses its Product Security Roadmap and customers should be able to feel a strong security presence and see demonstrable results. Customers can feel a presence of security on Behind the Blackboard with our detailed security advisories and patches, the EU Cookie Disclosure Building Block, downloadable Security Webinars, and a dedicated channel to report security issues, LearnSecurity@blackboard.com.
Blackboard recommends that clients using the self-hosted version of the Learn product use recognized cybersecurity standards such as the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations or the ISO/IEC 27002, Code of Practice for Information Security Controls to implement strong security controls commensurate with their business needs.
Key recommendations include:
- Ensure that only designated highly trusted administrative staff are given access to the system command line interface on a strict “need to know basis.”
- Enable detailed audit logging for all systems. The audit logs should capture all actions executed by administrative staff at the network, operating system, and application layers.
- Ensure that all administrative staff have passed detailed background checks to validate their trustworthiness for their roles.
- Consider using multi-factor authentication to manage the operating system whenever feasible.
- Ensure that the servers containing these repositories are located on a restricted closed network with limited access.