Storyline and security vulnerabilities

Nov 17, 2015

Angeline Kelly
By Angeline Kelly

This question is probably more for the lovely staff at E-Learning Heroes.

 

I have been asked by a client how robust Storyline modules are in terms of security. I know there is a lot of talks about SCORM and security, etc. But from the point of view of a software developing company, what would you say in response to the following questions (are there any specific encoding standards or rigorous testing methods that you've done to test any vulnerabilities)?

 

  1. How robust would the module be if an external attacker successfully injects code/scripts into the module which can be used to infect any user accessing the module?
  2. How does it handle unauthorised access or changes to learning records? For example:  an employee can mark the learning module complete without actually completing the module.
    Many thanks,

 

Anglia

3 Replies
Ashley Terwilliger-Pollard
over 8 years ago11/17/15 at 4:33 pm (UTC)

Hi Anglia,

Thanks for reaching out here and posing two great questions. 

For both of them I'd say that the vulnerabilities may lie more within the LMS than the Storyline published output. Specifically you mentioned changes to learning records, and those are tracked, stored and categorized by the LMS and not within Storyline. As for code infecting the output that the user is seeing and causing issues for them while viewing, I'm not certain how such code would be a part of the Storyline published output - unless it's able to get into the individual files within the Storyline published output - but again, those would be housed within your LMS so the first line of defense would be from the LMS set up. 

I don't know that we've tested or investigated specific vulnerabilities in terms of the content being loaded to an LMS, but if you need more information I can reach out to our team to see if they have any other thoughts. 

Paul Schneider
over 8 years ago11/17/15 at 10:38 pm (UTC)

For #2 - assuming you are using SCORM as the publishing standard, be aware that with enough effort it can be spoofed.  This has little to do with Articulate and more to do with SCORM and also one of the reasons for xAPI.  That being said, I've never personally heard of someone doing this to circumvent training scores. (I worked with another programmer to make changes for a special testing use case a client had which is how I know for sure it can be done under the right circumstances)

This discussion is closed. You can start a new discussion or contact Articulate Support.