14 Replies Latest reply on Oct 31, 2014 3:56 AM by davidhamannmedia

    If you had one hour... FileMaker Security Education

    mikebeargie

      First off, take a look at this bulletin:
      http://www.securityfocus.com/archive/1/533814/30/0/threaded

       

      Ask yourself:

      - Did I know about this, or is the first I'm hearing about it?

      - Do I understand the consequences of this type of exploit, and the mechanism of how it functions?

      - Are my files protected against this exploit?

       

      Questions like these were raised at Pause on Error in an open discussion hosted by Steve Blackwell, and a general concensus was reached, we all can do better to educate ourselves, and secure our solutions.

       

      ( By the way, the first thing you need to do to protect against the above kind of exploit is to make sure your files are encrypted at rest, as well as changing the name of the default admin account. )

      http://help.filemaker.com/app/answers/detail/a_id/11991/~/using-encryption-at-rest-(ear)-functionality-with-filemaker-products

       

      In the coming months, I will be developing an educational video titled "If you had one hour". This video will serve as an educational aid to developers of ALL levels, detailing basic concepts of how you can highly increase the security any FileMaker solution, in an hour.

       

      An hour of time is an easy sell to your clients to up their security. We all need to be comfortable suggesting and implementing securty in our solutions, and I hope having an educational resource like this will help build confidence in the development community.

       

      I invite anyone to chime in here and post content and techniques that they would like to see included.

       

      Current list of suggestions (will update as we go):

      -How to sell your clients on security, your ethical and possibly legal duty

      -Encryption at rest

      -Changing admin account name and password

      -Removing full access privilege set in distributed/live file

      -Enabling file access restrictions

      -When it's appropriate to use auto-login

      -Global variable based security settings

      -How to perform a basic white box and black box security test.

      -Developer protection when client requests full access.