UsingWW: Answering questions about WeBWorK security

Some colleagues at another university are lobbying to get a WeBWorK server installed (this is a large university in Ontario with more than enough resources to handle it). They have directed their director of IT to me with questions, as someone they know who runs a WeBWorK server.

It seems that the general concern they are getting from IT is that since WeBWorK is open source, it must be full of security holes. We've never had any issues, and I've never heard of anyone else having issues either. Is there any sort of reference page I can point them to that explains how things are handled with WeBWorK, and that could help ease these concerns?

The specific questions that were sent to me are:

How often the open-source community releases security updates for WebWorK? And how the WebWorK administrators like you are being informed about any security updates. What is the process to install them?
How are the risks with maintaining 24/7 server operations mitigated when there is only one person responsible for supporting the application. For example, the server goes down during off hours and the students have an assignment or exam to complete.

I believe that I've signed up for a WeBWorK security updates mailing list, but I don't recall receiving any emails, perhaps because there have not been any security threats.

The second question doesn't really sound like a risk to me; more of an inconvenience. Downtime is rare, but when it happens we turn things back on when we arrive in the morning, and if an assignment was due, the instructor gives an extension.

Re: Answering questions about WeBWorK security

by Andras Balogh - Monday, 6 February 2023, 2:57 PM

Our university is not allowing servers operated by departments. All servers, including our WeBWorK server is under IT supervision. I had to email our provost about the value of OER (even before OER was sexy) and only that made IT to work with us. IT is regularly scanning the server for security holes.

I am (a math faculty) updating the WeBWorK app about once a year just to keep up with new versions. Over the years we had 2-3 instances when WeBWorK was flagge for some kind of security vulnerability. The WeBWorK developers helped remediating those very quickly, in a day or two.
We had one or two cases when WeBWorK went down. Several times due to IT scanning intrusively for vulnerabilities. A few times due to incorrect question. Sometimes it happened over the weekend and I had to spend hours getting it back. I am lucky that I work with an IT guy who is very helpful.

Re: Answering questions about WeBWorK security

by Sean Fitzpatrick - Monday, 6 February 2023, 4:01 PM

Thanks. We have our own Linux network in our department, for the Computer Science side of things. This is because (a) it is essential for teaching, and (b) our university has laid off most of the Linux people in IT. (There is also a financial aspect: they are willing to provide me with a Linux VM on which I can run WeBWorK, but the cost recovery fee is over $1000 per year. Our Dean's office decided it would be cheaper to give me $4000 to spend on a server, under the assumption that it should last at least 5 years.)

Re: Answering questions about WeBWorK security

by Andrew Parker - Monday, 6 February 2023, 4:10 PM

> It seems that the general concern they are getting from IT is that since WeBWorK is open source, it must be full of security holes.

Practically every web application is powered by open-source software in some way or another. If their assumption is correct, then why don't we see everyone using Microsoft or Apple as the OS for their servers? ;P

But as to your main points, downtime is always a risk, though if it is at all possible to have a remote management option for your server, the duration of any downtime can be greatly reduced. For example, our WeBWorK server is now cloud hosted, and I have had no issues being able to reboot the machine in case of any problems. If remote management is not an option, then as you said, assignment extensions are a natural remedy for prolonged downtime.

In these types of negotiations, I find it useful to ask about the specific security concerns that IT has rather than a vague generalization of WeBWorK being "insecure".

With regards to data security, WeBWorK itself does not require any information about students beyond their names -- though in practice, student emails and sometimes their university IDs may be present. In terms of data exposure, email addresses are usually considered public, leaving only their private IDs as "sensitive data". If this is a major concern, then it is easy enough to avoid their use.

Other fundamental security concerns can be resolved by implementing basic security protocols. Disable root login, using sudo for privileged actions; disable password authentication for ssh, using ssh-keys instead; check for and install system package updates regularly; and firewall all ports except for SSH and HTTPS.

Finally, security issues should be reported on GitHub. Then, when the dev team has resolved the issue, updates can be implemented with `git pull` and a restart of the webwork2 service.

Using WeBWorK

WeBWorK Main Forum

Answering questions about WeBWorK security

Answering questions about WeBWorK security

Re: Answering questions about WeBWorK security

Re: Answering questions about WeBWorK security

Re: Answering questions about WeBWorK security