Is there an application security checklist in place as part of the Moodle software development lifecycle (SDLC) process? And if not, are there any plans for such a security checklist? We would propose this kind of list to be created for the purpose to fulfill customer’s security requirements.
Are there specific areas of security concerns that you feel Moodle is not addressing in the development process? (Or if there are specific, exploitable, security issues that you have identified in the latest version of Moodle, please open a ticket at tracker.moodle.org to address them).
Hi Anna,
Security is one of the items covered by our peer reviewing checklist, which forms part of the code/integration review process during development. We also have a Vulnerability Disclosure Program (see our security submission form page for more details, or to submit any potential security issues), and a responsible disclosure policy (more information in our security procedures documentation).
On the site administrator side of things we have documented security recommendations and within Moodle itself there is a Security Overview Report, which can be run to provide a list of configuration options/security items and whether they have been configured securely. If you are interested in this side of things, you might also find this article helpful: Top Security Tips for Moodle Administrators.
I hope that helps, but please let me know if you have any other questions!
Mick