In the previous chapter, we learned how a threat actor might test the security of our Moodle installation and exploit it for vulnerabilities. Bug hunters will use these same tools and processes to find security issues. But once they are discovered, then how are they tracked? How can we be notified when a new vulnerability is identified? In this chapter, we’ll learn how. We will investigate vulnerability tracking – both in general and for the Moodle project in particular. Through a better understanding of vulnerabilities, we can be better protected against them.

In this chapter, you will do the following:

• Learn how to keep up to date with any security patches and enhancements
• Explore both freely and commercially available tools that can be used to check Moodle code for security vulnerabilities
• Learn more about cloud platform-specific security tools that can be used to protect a Moodle-based infrastructure

We’...

The Third-party vulnerability scanners section includes a discussion on development tools – using Visual Studio Code as the development environment. If you aren’t familiar with Moodle plugin development, then you can skip this section. However, if you are planning to develop any Moodle plugins, then it will be helpful to be familiar with the ideas outlined in that section so that you can have an informed discussion with your developers about following appropriate coding standards.

All security vulnerabilities are tracked using the National Vulnerability Database (NVD). The NVD is a comprehensive database of known security vulnerabilities and exposures in various software, hardware, and other information technology products. It is a United States government initiative managed and operated by the National Institute of Standards and Technology (NIST). Key features and functions of the National Vulnerability Database (NVD) include the following:

• Vulnerability repository: The NVD serves as a centralized repository that collects and maintains information about vulnerabilities from various sources, including software vendors, security researchers, and other organizations. It includes details such as vulnerability descriptions, Common Vulnerability and Exposure (CVE) identifiers, severity scores (such as Common Vulnerability Scoring System (CVSS) scores), and references to patches or mitigations.
• CVE identifier assignment: The NVD...

The Moodle community and Moodle HQ adhere to the principle of responsible disclosure. Responsible disclosure is a concept in cybersecurity that outlines a set of guidelines and ethical principles for reporting and addressing security vulnerabilities in software or hardware products. Moodle adopts a coordinated approach to handling vulnerabilities to ensure that there is time to address the issue and that registered users have an opportunity to deploy the fix before details of the issue are made public. As described on the Security procedures page in the Moodle developer documentation (see https://moodledev.io/general/development/process/security), the key steps to Moodle’s approach to responsible disclosure are the following:

1. Discovery of vulnerabilities: A potential security vulnerability is discovered. As we saw in Chapter 9, this can include issues such as software bugs, default configuration errors, or design flaws that could...

In Chapter 9, we experimented with a number of the more popular penetration testing tools. An important distinction between penetration testing tools and vulnerability scanners is that penetration testing requires intelligent decisions. Currently, these are made by humans – for example, in deciding to pursue a potential vulnerability once a particular system behavior or response has been observed, although advances in AI and machine learning have the potential to make penetration testing faster and more accurate. Vulnerability scanning, on the other hand, involves simply scanning applications for vulnerabilities and so can be achieved using automated tools. The OWASP maintains a list of vulnerability scanning tools at https://owasp.org/www-community/Vulnerability_Scanning_Tools. You will see from this list that there are two categories of vulnerability scanners:

• Static Application Security Testing (SAST): This testing is typically carried out on...

Cloud hosting providers can offer dedicated security tools – often to protect specific services. For example, the Amazon Web Service (AWS) Simple Storage Service (or S3 for short) is an easy-to-configure, easy-to-use file storage service. An S3 storage instance – referred to as an S3 bucket – is a popular way to store and share files. However, it is also too easy to configure a bucket to be publicly accessible – particularly when files need to be shared between different organizations. Referring to S3 storage as a bucket is a good analogy as, like any bucket, careless handling can lead to a nasty spillage. For example, Colchester (UK) City Council discovered that one of their providers had configured a publicly available S3 bucket that contained details of taxpayers and benefits recipients – see https://www.theregister.com/2023/05/17/another_security_calamity_for_capita/. But no matter how firm our security...

In this chapter, we learned about the international effort to track security vulnerabilities in computer hardware and software, before drilling down into how security vulnerabilities in Moodle are managed and maintained.

We learned that we need to be part of Moodle’s responsible disclosure process – not only if the skills learned in Chapter 9 lead to us discovering a new vulnerability but also so that we can be notified of a new security issue in a timely manner.

Then we explored just a few of the many tools – both commercial and free – that can be used to scan a Moodle installation for known vulnerabilities. Particularly important is ensuring customizations are properly scanned. If you have paid for custom branding for your Moodle site, then you may have been sold a custom plugin without you even realizing it. We explored tools to allow developers to scan their code and give both themselves and you confidence in any extra plugins being deployed...