Jeff Longland

Relax, don't worry – have a home brew!

Blackboard DevCon 2011 – Blackboard Learn Security Reference Architecture

with 2 comments

  • Slide deck has an interesting slide on threat categories and corresponding controls
  • Recommend SSL system-wide  with 2048-bit key.
  • Secure performance – SSL on the load balancer rather than the server (off-loading to be supported soon)
  • Adopt a single sign-on provider (SSO) to enforce strong passwords, password resets, throttling/locking
  • Session hijacking risk in Content Management – disable usage of persistent cookies (users will have to authenticate multiple times)
  • bb-tasks.xml can be used to tweak session invalidation
  • Look at Session Fingerprinting to prevent session hijacking.
  • Consider whether Guest access is needed.  Four places to toggle:  Gateway Options, Course Tools, Default Course Settings, Default Organization Settings
  • Enable Globsl Cross-site Scripting Filter (on by default at strictest setting).  Also enable for file uploads (bbconfig.fileupload.enable.xss=true)  Article in WikiKB with more info.
  • Evaluate which system and course/organization roles require ability to enter dynamic content.
  • Enable Grade History.  Do not allow instructor to clear the history.
  • Monitor for changes to system configuration – properties files in config folder  and system registry in database table
  • Monitor privileged accounts for access from unexpected IPs / user agents in BBLEARN.sessions table
  • If CVSSv2 score is > 7, Blackboard will usually release a patch (unless it’s something widespread and better handled by a service pack)
  • Contact LearnSecurityCommunity@blackboard.com if you’d like to participate in a security community
  • Real-time anti-virus scanning is on the roadmap.
Advertisements

Written by jlongland

July 12, 2011 at 10:13 am

2 Responses

Subscribe to comments with RSS.

  1. Very useful info. Thanks for summarizing that session. Do you know where one can get the session notes (ppt)?

    Thank you.

    David Lyon

    September 13, 2011 at 1:50 pm

  2. Sorry, I’m really not too sure. There are usually slides on connections.blackboard.com, but I don’t see any for this particular session.

    jlongland

    October 20, 2011 at 9:18 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: