BigBlueButton is an open-source web conferencing system developed primarily for online education. It enables universities and colleges to deliver a high-quality learning experience to remote students. Through BigBlueButton, users can enter the conference as either a viewer or moderator. The project supports sharing PDF and Microsoft documents, as well as audio and video sharing, desktop sharing, extended whiteboard capabilities – such as a pointer, as well as zooming and drawing – and public and private chats (including webcams or audio-only). In addition, BigBlueButton features integrated VoIP using FreeSWiTCH, and can record conferences for playback.
BigBlueButton had all the key ingredients in place to offer first-rate online education to “every student with a web browser.” What they were missing was a way of keeping user records as safe as possible. The project’s developers wanted to ensure that BigBlueButton adheres to privacy and security best practices. But that was difficult given the range of CMS and LMS that deploy the software, such as Moodle, Sakai, Wordpress and Drupal. The BigBlueButton Foundation needed to provide assurance that BigBlueButton was not opening the door to cyber attacks for any of its users, no matter which system they worked with.
The SecurifyLabs Solution
We took BigBlueButton’s concerns very seriously regarding the confidentiality and integrity of student and instructor records, as well as their IP addresses. Our team performed a deep analysis of the most likely threat surface for BigBlueButton users. After that, we applied SecurifyLabs’ unique high-assurance code security process, performing both automatic and manual reviews of the source code. Our thorough assessment identified potential security risks, which we presented as a list of prioritized actionable items for BigBlueButton’s development team to fix. By incorporating SecurifyLabs’ suggestions, BigBlueButton can ensure that their users benefit not only from world-class online education, but also from world-leading online security. And it’s all possible at no cost to the project’s developers.