Comment by gdhkgdhkvff
11 hours ago
It’s wild to me that people in this comment section are suggesting that schools should improve their security by rolling their own platform, which is bound to be filled with security holes, instead of using a popular, maintained, open source option.
To be fair to the idea, though, while this would make individual instances less secure, it would drastically decrease the leverage for the work bad actors put in.
There is a saying in the software security industry that (I'm paraphrasing from rusty memories) a system is secure if the cost of hacking it is higher than the value it protects.
Each system being completely distinct from another means that the cost of hacking the average student goes up by 9000 (from the article, Canvas is used by 9000 schools).
Still not saying that rolling out your own is the preferred solution, but the idea is not as ludicrous as it would seem, and should definitely be entertained and discussed, at least.
Maybe. I still remember the Drupal community sneering at the New York Times when they unveiled their homegrown online news platform bitd. After 15 years of recursively scraping ad-hoc porn sites off of server hard drives when clients dragged their feet on migrating to latest versions I 'm less certain the assumption that homegrown == less secure is as valid as it sounds.
Could you explain the last sentence a bit more? I don’t follow
Back before the Laravel folks utterly misguided but weirdly popular attempts at turning PHP into JavaScript gutted the Drupal community (your boos mean nothing, I've seen what makes you cheer) one of the most common outcomes of a site getting hacked was malware-infested porn sites would be uploaded to the site server. This failure mode wasn't particular to Drupal, it's just what happened when websites got hacked. This was the same period of time when the Drupal project was reporting ~16M active installs, had literally thousands of developers volunteering code to the core development project, a dedicated security team, and an automated test suite that ran around the clock.