As part of our ongoing efforts to keep our clients informed about important updates related to the security of the Blackboard Learn™ platform, I’d like to update all of you in our client community with a quick snapshot of some meaningful security enhancements recently released and coming in early Q1.
I encourage clients not already on Service Pack 8 or higher to make plans to upgrade so you can take advantage of strengthened security safeguards and patches. Our Managed Hosting team implements Security Best Practices as part of the standard procedures. If you are a Self Hosted client and have any questions about Security Best Practices for your Blackboard Learn system, please feel free to contact Client Support for assistance.
Recently Released Security Enhancements
Faster Fixes through the Input Validation Filter Building Block
The Input Validation Filter is an enhanced line of defense to confirm data coming into Blackboard Learn is safe by mitigating cross-site scripting. The Input Validation Filter, available for clients on 9.1 SP7 HF1 and higher, defines a series of well-structured data fields within Blackboard Learn (such as the Course ID field) and explicitly lists criteria and patterns that are acceptable entries for each field. If data entered does not match the criteria, it will be rejected. In addition to blocking risky data, the Input Validation Filter Building Block also logs data through 24 fields of information and four event codes to help detect unusual activity.
Safer File Rendering – Alternate File Domain Settings for Serving Content
With Release 9.1 Service Pack 10, files uploaded by users are stored in and opened from another web domain to protect against potentially malicious uploaded files. The security control helps protect from cross-site Scripting attacks performed through malicious uploaded files by leveraging the internet browser’s existing security control, the “same-origin policy.” An example of how this works is that your institution’s main Blackboard site may be “https://blackboard.myinstitution.com” and content would get served from “https://blackboard-content.myinstitution.com”. By using an alternate domain, the user’s cookies and thus session information is further protected from potentially malicious scripts in uploaded HTML files.
Coming in Early Q1 2013*
Safe HTML Filter for the Content Editor
Trusted users—faculty and other content editors—often use rich, complex HTML in course design. The new Safe HTML Filter, coming In early Q1 2013 for 9.1 SP 11 will ensure only these trusted users can enter complex HTML and block other roles from uploading potentially malicious data that could result in a cross-site scripting attack.
For more information
Information on these capabilities can be found on Behind the Blackboard. For more information on Blackboard’s security practices, see the Blackboard Learn Vulnerability Management Commitment and Disclosure Policy and recorded Webinars on secure configuration and security program overview for self-hosted customers and managed hosted customers. Our Security team and others from our product leadership team, including myself, are always happy to talk further with any of you who have questions or concerns about Security.
*Statements regarding our product development initiatives, including new products and future product upgrades, updates or enhancements represent our current intentions, but may be modified, delayed or abandoned without prior notice and there is no assurance that such offering, upgrades, updates or functionality will become available unless and until they have been made generally available to our customer.