Security Testing

Blackboard performs continuous internal security testing at the code-level (static analysis) and application-level (dynamic analysis) to ensure it meets both Blackboard and our customer's expectations. Furthermore, to regularly get fresh eyes on the application, Blackboard obtains security penetration testing from third party security vendors. Any identified issues are quickly slated for repair.

Static application security testing

Blackboard leverages open source and commercial static analysis scanners to assess Blackboard Learn source code continuously. These tools allow Blackboard to identify potential vulnerabilities in the source code as the system evolves through integration with build environments. Blackboard couples automated source code analysis for security vulnerabilities with manual code reviews.

Dynamic application security testing

Blackboard leverages open source and commercial dynamic analysis scanners to assess the Blackboard Learn application continuously. The automated security scanners test for common web application vulnerabilities from the viewpoint of an end user.

Manual penetration testing

Static and Dynamic Application Security Tools cannot detect all security issues. To further mitigate security risk, Blackboard performs manual penetration testing to identify more complex security vulnerabilities and business logic issues such as improper authorization.

Security updates and advisories

Blackboard is committed to the timely identification, communication, and resolution of security vulnerabilities identified in our products. Blackboard publishes security patches and advisories through Behind the Blackboard.

Security Advisories are released with the following information:

  • Advisory ID - for Knowledge Base tracking purposes
  • Title - Brief description of affected area
  • Issue Date
  • Severity

Advisories are followed by a vulnerability overview detailing the nature of the security vulnerability, a functional issue overview which describes how the system may be affected, a list of product version(s) affected, description of discovery, and a description of the solution with a link to applicable patches. Blackboard also tracks and advises our clients of any known exploitation or malicious use of security vulnerabilities. The mitigations and workarounds section describes any mitigations clients may take or if a workaround is available. If there are multiple revisions to an advisory, a short summary of the update is provided.

Security vulnerability scoring

Blackboard follows the industry standard of CVSSv2 (Common Vulnerability Scoring System Version 2.0) as a guideline. Customers may use our severity ratings as a guideline to help classify the impact of security issues found in Blackboard Learn. It is based on average usage, since not all vulnerabilities have equal impact on all users - for example, customers might not have the affected module enabled, or its use of the module may not contain as critical information as another customer.

Input Validation Filter

The Input Validation Filter acts as a first line of defense with configurable rules to protect Blackboard Learn. It is, in a sense, like a firewall for Blackboard Learn. It verifies that user requests coming in are safe by sanitizing the data through a default ruleset.