Totara Learn Open Discussions

Safety of TOTARA Software

 
Hans-Georg Frank
Safety of TOTARA Software
by Hans-Georg Frank - Friday, 14 October 2022, 12:43 AM
 

Hi everyone, 

As a commercial company in the construction machinery sector, we are looking for a suitable LMS. Together with a supplier, we have dealt intensively with TOTARA and would like to license it. Our IT department doubts that an "open source software" can be secure.
Since everyone here uses TOTARA, you must be convinced that it is secure software (compared to proprietary commercial providers). What "solid" arguments support TOTARA's security? Who can give references for or from a large industrial company that has been using TOTARA since a long time?
Thank you in advance

Hans-Georg Frank

Brendan Cox
Re: Safety of TOTARA Software
by Brendan Cox - Sunday, 16 October 2022, 6:13 PM
Group Totara

Hi Hans-Georg,

Thank you for raising this. I would like to offer input from Totara's side.

Both open source and proprietary code can include vulnerabilities. Consider this Known Exploited Vulnerabilities Catalog - proprietary software features prominently.

What we think is most important is reducing those vulnerabilities and responding quickly when they appear. Key things we do to support this:

  1. Security is supported by our quality management processes. We perform review and testing of each change to code, and this covers looking for security issues. This is complemented by automated testing (unit and integration tests) which will cover security where appropriate.
  2. We commission an external pen test on our new features each year. This helps us to identify vulnerabilities that have got past our process and where that happens, we consider improvements going forward.
  3. We self-assess against the OWASP Application Security Verification Standard. This helps us to stay aware of how we are tracking against industry best practice.
  4. Fixing security issues automatically takes priority for us. We will have fixes out with our monthly release and if a vulnerability has been found just as we're about to release, it is not uncommon that we'll choose to halt the release by a day or two to fix and test.

Companies and government organisations using our software can be found here.

I hope this helps.


Kind regards,

Brendan Cox

Senior Security Engineer at Totara

Hans-Georg Frank
Re: Safety of TOTARA Software
by Hans-Georg Frank - Monday, 17 October 2022, 6:48 AM
 

Hi Brendan,

Thank you very much for your quick reply to my question in the forum. I have forwarded it to our IT department and have now had a detailed discussion with the IT managers.

The first doubts about the security of TOTARA arose when the CISCO Umbrella, which is used to secure our network, struck during the use of the test installation of TOTARA and prevented the connection, stating that parts of TOTARA are MALWARE.
An exception was then programmed so that we could continue with the evaluation.
As a result of this incident, our IT department is urging us to include a clause in the contract that Totara or our service provider guarantee that the software is so secure that the CISCO Umbrella will no longer strike.

A second point, which is at least as important, is the fear that code (from a third party?) is used in TOTARA, which may lead to additional claims from the rights holder at a later date (possibly only in a later TOTARA version). Our IT was also confronted with such a case (when using an open source software) in the near past. In this case, the claims of the rights holder were in the low six-figure euro range and far exceeded the costs saved by using the software.

Can you also say something about these points? We still consider TOTARA to be the software of our choice, but of course we have to accept and fulfil the demands of our IT managers.

I hope you can allay the concerns of the IT managers.


Kind regards


Hans-Georg Frank

Brendan Cox
Re: Safety of TOTARA Software
by Brendan Cox - Monday, 17 October 2022, 3:57 PM
Group Totara

Hi Hans-Georg,

Glad Totara is still the software of choice. For specific responses, especially around contractual clauses, it will be best to discuss these with your Totara Partner.

To cover them in general terms:

First, regarding the Cisco Umbrella: given the complexity and differences across software, it is relatively common for security products to present false positives. However, if there are alerts that are troubling your team, these can be raised with your partner, who can then open a helpdesk ticket with us to investigate, if necessary.

Second, regarding third-party code: we do include third-party libraries. These are chosen carefully and we only include libraries with permissive licenses that are compatible with our own. We track which libraries are included, along with their licenses. As site administrator, if you visit the URL ‘/admin/thirdpartylibs.php’, you’ll see this list. You may like to discuss this with your partner also. If they provide plugins or customisations, you’d need to confirm their policy on this matter as they may not appear on that list.


Kind regards,

Brendan Cox