13 Replies Latest reply on Mar 26, 2014 7:34 AM by taylorsharpe

    Is FileMaker Secure and Security Plans?

    taylorsharpe

      I recently had a discussion with a client who wanted to know how seucre FileMaker is and about security documentation for databases.

       

      The enterprise level of security (e.g., big corporations, governments, etc.) involves documenting a database's security plan. The International Standards Organization has a standard, ISO 27001, that steps through how to document security and have minimum security standards and it is a very thorough documentation and includes auditing, etc. Or you can look at the US Governments standard for documenting information database security plans which developed by the National Institute of Standards and Technology (NIST) in their Special Publication 800-53 (current version is revision 4). Basically the 800-53 publication shows you how to document all of the controls associated with a database.

       

      I think some of the security plans described above are over kill and just document security you have hopefully already implemented. If you follow the FileMaker Security Guide, you'll meet minimum levels good enough for Top Security for the US Government computers, but if its a US Government computer, you'll still have to do a security plan.

       

      The US Department of Homeland Security maintains a National Vulnerability Database to document all known vulnerabilities to various softwares. A search for FileMakerin March 2014 showed FileMaker to have only been 5 vulnerabilities documented since the year 2000. None since version 5 of FileMaker in the year 2000 have been classified as a High vulnerability (the other 4 were all Medium level). Compare this to Oracle that has 2585 vulnerabilities and MySQL has 461 vulnerabilities as of March 2014. Oracle's most recent vulnerability was in January 2014 and listed as a High vulnerability. MySQL's last High vulnerability was this month (March 2014) and is a SQL injection attack.

       

      While FileMaker can never claim invulnerable, it certainly looks to have a lot less security issues than other major database platforms and this Vulnerabilities database certainly makes FileMaker seem to have a very good security record. In other words, from the security perspective, FileMaker is a good choice.

        • 1. Re: Is FileMaker Secure and Security Plans?
          Mike_Mitchell

          Good news, Taylor. Can you link to that National Vulnerability Database? It would be handy to have in our back pockets for client discussions.  

          • 2. Re: Is FileMaker Secure and Security Plans?
            beverly

            one wonders if IT departments take as great care with FM dbs as with the SQL (or other) ones. Security has a bunch of layers and if any one of them is not followed, there is less security.

             

            On this forum, get this document, "Security Guide for FileMaker 13"

                 https://fmdev.filemaker.com/docs/DOC-3721

             

            and on FMforums, check this blog:

                 http://fmforums.com/forum/blog/13-filemaker-security-blog/

             

            Beverly

            • 3. Re: Is FileMaker Secure and Security Plans?
              mikebeargie

              I equate this to the "There's no viruses for mac because there aren't as many macs" conundrum. Is there any statistical ratio on that tracking to show how many users are affected by each implemented platform? While there is a lot of Filemaker out there, it's a tiny fraction of the pie, and almost certainly you can expect more exploits in the largest slices of said pie.

               

              If a hacker spends _X_ hours figuring out to exploit a platform to steal data, will he spend that time to exploit platform A, which has 2500 users in North America, or platform B, which has 2,000,000 users in N. America? Unless he has gained some sort of inside knowledge on platform A via social engineering, then almost certainly the greater reward is platform B.

               

              This discussion came up a few weeks ago. In terms of Filemaker being "secure", it's not a matter of FileMaker being compliant with security requirements (IE HIPAA, PCI, etc..), as out of the box it is. It's a matter of making your solution and user management secure. With the new encryption methods, you can go a long way to satiate even the most frumpy security expert, however you have to purpose build your solution on security.

               

              Well, chances are you already ARE building it that way if you're looking into that kind of compliance.

               

              Good to know at least that it's considered in that documentation!

              • 4. Re: Is FileMaker Secure and Security Plans?
                ColinKeefe

                It's here.  Search for FileMaker.

                 

                 

                3 of them are related to IWP or WebCompanion (remember that?), one is a FileMaker 5 email spoofing issue, one is a certificating issue which 12 resolves.

                 

                That said these are security vulnerabilities in the platform itself - there are a gazillion ways FileMaker developers can create security flaws in solutions, through programming or just human behavior, and that's the primary risk.

                • 5. Re: Is FileMaker Secure and Security Plans?
                  mikebeargie

                  Awww, you can't bring up WebCompanion without bringing up FileMaker Mobile as well!

                  • 6. Re: Is FileMaker Secure and Security Plans?
                    ColinKeefe

                    Yeah.  FMI should have a Retro Hackathon at DevCon - people can bring in their Claris Home Page running in an emulator and start banging out CDML.

                    • 7. Re: Is FileMaker Secure and Security Plans?
                      Mike_Mitchell

                      Excellent. Thanks!

                      • 8. Re: Is FileMaker Secure and Security Plans?
                        wimdecorte

                        I've got mine ready....

                         

                         

                        2014-03-25_17-07-28.png

                        • 9. Re: Is FileMaker Secure and Security Plans?
                          beverly

                          LOL! or let's get really RETRO and use AppleScript to "web publish FileMaker". It was the first way, ya know.

                           

                          Beverly

                          • 10. Re: Is FileMaker Secure and Security Plans?
                            taylorsharpe

                            What is surprising is that FileMaker really combines two levels of a solution, the back end schema/data and the user interface and therefore should relatively have more vulnerabilities than comparing to some backend SQL database engine that does not have to report on user interface vulnerabilities also.  So FileMaker actually has a big strike against it in this database and yet it still comes out looking good.  I think we shoudl be pointing out that FileMaker is potentially over represented in this database. 

                             

                            We all realize that FileMaker is not one of the major database players like Oracle, SQL Lite, MS SQL Server, or MySQL, but it probably is in the top dozen of so commercial database engines depending on how you measure things.  I looked over Wikipedia's list of Relational Database engines and FileMaker is clearly used a lot more than most of those listed.  I would not discount FileMaker as being a small niche database system after looking over that list. 

                             

                            Things can always be said to discount FileMaker, but I'll keep pointing to neutral reporting sources like the National Vulnerabilites database as documentation that FileMaker has a good security track record.

                            • 11. Re: Is FileMaker Secure and Security Plans?
                              ColinKeefe

                              Game on!

                               

                              IMG_0912.jpg

                               

                              ...er, anyone have a floppy drive?

                              • 12. Re: Is FileMaker Secure and Security Plans?
                                mikebeargie

                                What is surprising is that FileMaker really combines two levels of a solution, the back end schema/data and the user interface and therefore should relatively have more vulnerabilities than comparing to some backend SQL database engine that does not have to report on user interface vulnerabilities also.

                                 

                                Well, that goes back to the "it's what you build, not what it's built on" thought for security. Filemaker itself is inheritly secure to a certain point, but if you build in an exploitable piece of interface/script/code, then it's not filemaker's fault or vulnerability. Just as if someone builds an export.php script that dumps all database files to raw CSVs, or a clear.php script that wipes out all the data, it's not MySQL's or PHP's fault or vulnerability. I would imagine that neutral sources will find very little "out of the box" vulnerabilities in FileMaker.

                                 

                                A lot depends on the communication between the UI and database host, as that's where most attacks (IE SQL injection) will take place. Filemaker is quite different than other platforms in that aspect by having both in the same compiled application, to the point where I consider it more secure in data protection than some of the other formats.

                                • 13. Re: Is FileMaker Secure and Security Plans?
                                  taylorsharpe

                                  SQL injection attacks are a real pain for databases subject to them.  I am very happy that FileMaker does not allow improperly formatted SQL to every have control of OS functions. 

                                   

                                  FileMaker has a good set of tools to make things secure, but FileMaker can only make the tools.  The developer has to properly use them.  Fortunately FileMaker has made it relatively easy to do this. 

                                   

                                  One suggestion I would have is that FileMaker become an ICANN authorized distributor and distribute their own already authorized SSL certificates with the installation software.  After all, FileMaker knows at least as much and often more than an ICANN seller of SSL certificates.  And by doing so, that would take out the hassle of buying a certificate elsewhere and using the command land to install and make sure it is one of the approved SSL providers, etc.  That would be one thing that FileMaker could do to make security easier in the future.