Dual Code takes all reasonable precautions to safeguard customer data maintained on our servers and to protect the system against unauthorized use or tampering. We have adopted OWASP recommendations within our organization to ensure that our learning environment, including all customizations, enhancements and third-party plug-ins, are secure. The following are just some of the system and data security measures that we support.
Dual Code has partnered with large carriers such as Amazon AWS® to ensure the highest level of security and availability of our systems. Our hardware and network equipment are managed by our partners in their world-class data centers, allowing Dual Code to focus on what we do best: design and develop innovative, custom eLearning solutions.
AWS supports more security standards and compliance certifications than any other offering, including SOC, helping customers satisfy compliance requirements for virtually every regulatory agency around the globe.
All servers, including production and staging servers, are hosted in Canada for our Canadian clients.
Servers are protected using Two-Factor Authentication for web access. In addition to their username and password, server administrators are required to enter a unique 6-digit code that expires every 30 seconds as part of this 2-step verification process.
Remote shell connection is only allowed using a secure shell (SSH), which uses private/public key cryptography. Passwords are disabled.
The Dual Code Learning Management System (LMS) is a custom implementation of Moodle®, the world's most popular open-source learning management system. Moodle is a widely trusted and secure platform utilized by industries like military and banking. Users of Moodle in these industries are dedicated to security and regularly perform penetration testing to identify and disclose vulnerabilities to the Moodle team. Our product leverages this commitment to security, and we benefit from Moodle's rigorous testing and remediation efforts.
Bugcrowd™ is a crowdsourced security platform. Founded in 2011, it is now one of the largest bug bounty and vulnerability disclosure companies on the internet. Bugcrowd combines analytics, technology, and the power of the ethical hacker community
to find hidden vulnerabilities our platform before they can be exploited.
Moodle has in place a responsible disclosure procedure that asks ethical hackers to submit their findings using a form that is linked to their Bugcrowd program. This ensures more efficient triage of incoming security issues and a smoother overall responsible
disclosure process.
Our learning environment meets requirements specified in the OWASP Top 10 list. Dual Code has adopted OWASP recommendations as part of our software development process for any customizations and enhancements made to Moodle.
Dual Code servers are protected by firewalls and intrusion prevention software to protect against threats from hosts that are trying to breach the system’s security. All non-essential ports are blocked and intrusion prevention software automatically updates firewall rules to reject IP addresses that show malicious signs such as multiple failed login attempts. Antivirus software scans all uploaded files to detect trojans, viruses, malware & other malicious threats.
In addition to the IPS (Intrusion Prevention System), the Dual Code system has an anomaly-based IDS (Intrusion Detection System) that detects misuse by monitoring user activity and classifying it as either normal or anomalous. The classification is based on rules and attempts to detect any type of misuse that falls out of normal system usage. The IDS provides a second line of defense to detect anomalous traffic from users who may have a valid account on the system.
Dual Code employs a 3rd party external vulnerability scanner that checks our platform and software for over 9,000 vulnerabilities that include web-layer security problems (such as SQL injection and cross-site scripting), infrastructure weaknesses (such as remote code execution flaws), and other security misconfigurations (such as weak encryption configurations). The scanner employs continuous proactive vulnerability scanning for the latest emerging threats as they arise.
Data at rest is encrypted with a data key using an industry-standard AES-256 algorithm.
Data in transit is protected using TLS 1.2 or greater and high-grade encryption (256 bit), thereby making it virtually impossible for unauthorized people to view information traveling between computers over the Internet.
By default, the system requires that each user authenticates him/herself using a unique username and password combination. If self-registration is enabled, meaning users can create their own account, Dual Code can restrict new users to have an email address
that matches a particular domain
In addition, all Dual Code administrators have Multi-factor authentication (MFA) enabled on their accounts.
The system also has the ability to allow “guests” or anonymous users - a feature that may be useful to some clients - but that is disabled by default.
When a user signs in the system using a new device, the system will automatically send them an email notification. The email informs the user when the authentication took place, the device type, and the IP address for the authentication. The user is informed that if it was them who logged in, then there's nothing for them to do, but if they don't recognize the activity in question, that they should change their password.
Note that this feature is disabled by default but can be enabled upon request.
By default, the system supports 7 user roles, each with different permission levels. These roles include System Administrator, System Coordinator, Supervisor, Course Creator, Lead Instructor, Instructor, and Learner.
The system allows administrators to create user groups to represent business units, departments, or geographically dispersed teams. Students and managers that belong to a user group can only see students that belong to that same group.
All user passwords are encrypted in the database.
The customer has the ability to define their own password policies. For example, customers can request that each password be at least 8 characters long, and must contain at least 1 digit and 1 non-alphanumeric character.
The system also provides users with the ability to reset their passwords and have the system email it to them should they ever forget it.
Each client has their own private database installed on the system, thereby ensuring the highest level of security. Course files are stored on a system partition that is not available from the Internet. The only way to load the courses is through secure Web pages that authenticate every single request.
Dual Code uses "shred", a Unix command that can be used to securely remove files from the hardware system when they are deleted.
To further restrict access to certain courses, a trainer can optionally set an enrolment key. When doing so, students will be required to enter this secret key prior to enrolling in the course. Users who do not have the key cannot access any of the files for that specific course.
The system keeps a detailed audit trail that can be viewed by administrators through the Web-based user interface. The LMS keeps track of the action that took place, the date and time, the IP address of the computer who initiated the request, and the title of the course that was affected by the selected request.