Cheating on tests hurts everyone. Not only does cheating inflate average scores, but every malicious test taker who circumvents security measures is also directly hurting the honest people who have worked hard to prepare for the test — cheating decreases their chances of being accepted to their college or university of choice.
We know that the Duolingo English Test can open the door to life-changing opportunities and that people work hard to get a good score. That’s why we take the security of the Duolingo English Test very seriously — it’s imperative to ensure that every test taker's score is absolutely reliable.
A security arms race
One of the ways that test takers can cheat on the test is to subvert the security protocols employed by the test provider. Paper based tests are prone to a host of physical security problems that digital tests don’t have to worry about. However, digital tests inherit the unavoidable security vulnerabilities of computing systems, opening them up to novel cybersecurity attacks. Attackers can compromise the security protocols, and allow malicious test takers to increase their scores by exploiting such vulnerabilities. So how do digital test providers approach this new aspect of assessments?
Looking at the digital assessment industry as a whole, we've noticed a concerning pattern: there is a lack of published literature from assessment companies about the proactive steps they take towards cybersecurity. Overwhelmingly, it appears that test companies take a reactive approach, where new mitigation mechanisms are only put into place in response to scandals or attacks on their systems. In this model, security issues are addressed after there’s been a breach — so while a new security protocol might mitigate future attacks, the damage on real people has already been done.
We don’t want to fall into this trap. While no assessment company can claim to be unhackable, a proactive approach decreases the overall risk of having a significant breach. That’s why we do everything in our power to anticipate foul play. We’ve built an internal catalog of all known malicious behaviors and mechanisms used by attackers, which informs how we develop the test and continually strengthen our security measures.
But we knew this wasn’t enough — it’s almost impossible to anticipate every single kind of threat out there. Security is essentially an arms race, and we always want to keep one step ahead of the attackers. So we decided to take things to the next level.
Put to the test
To ramp up our assessment security protocols, we took inspiration from the related area of cybersecurity and decided to put Duolingo English Test security through penetration testing. In this process, security experts are paid to break into our systems, in order to expose potential weaknesses.
By hiring outsiders to thoroughly test our security systems and protocols, we get to take a hard look at potential gaps in our security — without sacrificing the fairness of the test by allowing malicious attackers to exploit the vulnerabilities before we fix them.
First, the experts focused on the two main components of the Duolingo English Test’s security infrastructure: the desktop application, which every test taker must download in order to take the exam, and our servers, which are the machines "in the cloud" that communicate with the desktop application and serve up test content, grade the test, enable score sharing, and more.
We gave the experts a copy of the application, accounts with high access to the servers' backend, as well as the actual source code for both. Their mission was to expose any and all potential gaps in our security infrastructure.
Once the security experts had tackled these two pillars of our security system, the hackers put the Duolingo English Test through a battery of additional tests. For these tests, we were not aware of the exact attacks being developed and tested on our systems. For six weeks, experts tried every potential angle of attack, including trying to break authentication mechanisms, subverting test session management, circumventing data protecting protocols, and hacking the desktop application and server code, and dozens of other angles of attack.
After the penetration testing was complete, the security auditors reported their findings to us. We are pleased to say that this rigorous audit didn’t surface any attacks that would fundamentally compromise the security of the test. For the few minor vulnerabilities they did find (most of which we already suspected were present) they proposed high-level solutions for addressing them — and because there were so few, our engineers were able to resolve the entire list in only a month!
Staying ahead of the game
Digital-first high-stakes testing requires a proactive approach to security, which is precisely why penetration testing is so worthwhile. We’ll be repeating this process on a regular basis to stay ahead of security threats, and we hope this will inspire other digital assessment providers to follow suit. At the end of the day, secure testing is a cornerstone of fair testing, and we want to bring the whole industry along with us.
To learn more about Duolingo English Test security, check out other security-related posts here on the blog!