Security Testing

Blackboard performs continuous internal security testing at the code-level (static analysis) and application-level (dynamic analysis) to ensure it meets both Blackboard and our customer's expectations. Furthermore, to regularly get fresh eyes on the application, Blackboard obtains security penetration testing from third party security vendors. Any identified issues are quickly slated for repair.

Static application security testing

Blackboard leverages open source and commercial static analysis scanners to assess Blackboard Learn source code continuously. These tools allow Blackboard to identify potential vulnerabilities in the source code as the system evolves through integration with build environments. Blackboard couples automated source code analysis for security vulnerabilities with manual code reviews.

Dynamic application security testing

Blackboard leverages open source and commercial dynamic analysis scanners to assess the Blackboard Learn application continuously. The automated security scanners test for common web application vulnerabilities from the viewpoint of an end user.

Manual penetration testing

Static and Dynamic Application Security Tools cannot detect all security issues. To further mitigate security risk, Blackboard performs manual penetration testing to identify more complex security vulnerabilities and business logic issues such as improper authorization.

Security updates and advisories

Blackboard is committed to the timely identification, communication, and resolution of security vulnerabilities identified in our products. Blackboard publishes security patches and advisories through Behind the Blackboard.

Security Advisories are released with the following information:

  • Advisory ID - for Knowledge Base tracking purposes
  • Title - Brief description of affected area
  • Issue Date
  • Severity

Advisories are followed by a vulnerability overview detailing the nature of the security vulnerability, a functional issue overview which describes how the system may be affected, a list of product version(s) affected, description of discovery, and a description of the solution with a link to applicable patches. Blackboard also tracks and advises our clients of any known exploitation or malicious use of security vulnerabilities. The mitigations and workarounds section describes any mitigations clients may take or if a workaround is available. If there are multiple revisions to an advisory, a short summary of the update is provided.

Security vulnerability scoring

Blackboard follows the industry standard of CVSSv2 (Common Vulnerability Scoring System Version 2.0) as a guideline. Customers may use our severity ratings as a guideline to help classify the impact of security issues found in Blackboard Learn. It is based on average usage, since not all vulnerabilities have equal impact on all users - for example, customers might not have the affected module enabled, or its use of the module may not contain as critical information as another customer.


Input Validation Filter

The Input Validation Filter acts as a first line of defense with configurable rules to protect Blackboard Learn. It is, in a sense, like a firewall for Blackboard Learn. It verifies that user requests coming in are safe by sanitizing the data through a default ruleset.

Alternate Domain Setup

Alternate Domain

Rendering user-uploaded files from an alternate domain is a defense-in-depth security control. By uploading a piece of content containing potentially malicious scripts, a user could potentially perform session hijacking on the main Blackboard Learn session once a target user accesses the affected content.

As a method of protection against this type of activity, users can now access user-uploaded files and add custom HTML through an alternate domain. This security control leverages the browser security features, namely the "same-origin policy". As a result, malicious scripts within user-uploaded files that are rendered in one domain or subdomain are segregated from the cookies, and thus the session information, of the primary Blackboard Learn session.

This security control is another defensive layer in Blackboard's security framework to further protect users from potentially malicious user-uploaded files.

Blackboard recommends that administrators configure this security control on all of their Blackboard Learn implementations. This is a Blackboard security best practice.


Separate domain for rendering content

A separate domain or subdomain provides a more secure way of accessing user-uploaded files from a Blackboard Learn server. This separate domain helps prevent user-uploaded content containing malicious script from being used to compromise a user's Blackboard Learn session and thus user data. With a separate domain or subdomain configured, all content is delivered from the original domain to the separate domain, essentially forwarding content to the separate domain. To the user, this is completely seamless.

In the event a user-uploaded file contains malicious scripts to perform session hijacking, the browser's security controls, namely, the "same-origin policy," helps prevent the user's file rendering session from accessing the user's primary session. The user's primary session is used for activity such as taking assessments, viewing grades, and so on. Thus, the attack would be compartmentalized and the impact would be limited. While attackers might gain access to content they normally do not have access to, they will not gain access to a victim's primary session or across the whole site.

Special notes

The Blackboard Learn server located at the alternate hostname will only respond to webdav requests.

Any Blackboard Learn installation responding to a request at the alternate hostname cannot be used to perform normal Blackboard Learn functions. As a result, brands and other similar alternate file hostnames cannot use the same hostname as the file domain.

Please view the Hostname Configuration Management section of our release notes to review your hostname. 

The alternate domain information is pre-configured when you enable alternate domain. We recommend not changing these pre-configured values as Blackboard only supports one alternate domain. If you do want to change the pre-configured values, you can choose to use:

  • blackboard.com
  • the domain of your site if you use a vanity URL

Enable alternate domain for serving content

When setting up a separate domain, do not use hostnames that you have set up for brands. If you do, your brands will not function properly.

  1. Navigate to Admin Panel > Security > Alternate Domain for Serving Content.
  2. Select the box to enable Alternate Domain for Serving Content.
  3. The information populates with pre-configured content.

    We recommend not changing these pre-configured values as Blackboard only supports one alternate domain. If you do want to change the pre-configured values, you can choose to use blackboard.com or the domain of your site if you use a vanity URL.

  4. Select Submit.

If HTML authoring fails to load after configuring the alternate domain, please engage with support to ensure that your environment domains are setup and configured correctly. Review your hostname configuration settings under Admin Panel > Security > Hostname Configuration


Turn off alternate domain for serving content

  1. Navigate to Admin Panel > Security > Alternate Domain for Serving Content.
  2. Select the box to turn off Alternate Domain for Serving Content.
  3. Select Submit.

Lägg till HTML

Lägg till anpassad HTML eller CSS

När du aktiverar en alternativ domän för din webbsida i Ultra-kursvyn kan du nu använda anpassad HTML eller CSS i ett dokument.  Välj Lägg till HTML som ett nytt block för att bädda in en infogad HTML-redigerare från tredje part i dokumentet. Du kan skriva eller klistra in HTML-kod i redigeraren och välja Spara. Den krypterade HTML-koden kommer att skickas till Learn inom BbML för beständighet. HTML kommer att anges i BbML med en ny data-bbtype. Om du läser in tidigare skapad BbML som innehåller HTML i skrivskyddat läge läses HTML in från en separat domän i en iframe.

Ett nytt CodeEditor-paket hanterar all import som krävs av tredjeparts-redigeraren och standardiserar redigerarkonfigurationer. Paketet kommer annars bara att förpacka redigerarens metod för att mata in sig själv i ett DOM-element. Direktiv och plugin-program som bäddar in redigeraren på sidan beror på paketet.

 

Your institution must have an alternate domain configured and the Course Role needs to have the Add/Edit embedded content with scripts into iframe for this feature to work. In an effort to support more enhanced security and to maintain the responsiveness of the Ultra Experience, we've used an existing solution in Learn to support this capability. If you already have an alternate domain configured, your instructors have access to add HTML in Ultra Course View documents. 

If the HTML authoring fails to load after configuring the alternate domain, please engage with support to ensure that your environment domains are setup and configured correctly.