4 Replies Latest reply on Nov 6, 2014 2:31 AM by Mike_Mitchell

    Web Direct Security

    kiwikaty

      Has anyone else had a security team put web direct through its paces, especially where it is using a company AD for the WD authentication? I am in search of the findings of such testing or some advice on what they may find. I have a project that has been delayed approval until the testing has taken place and I am trying to expediate things.

       

      Many thanks

      Katy

        • 1. Re: Web Direct Security
          mikebeargie

          What specifically are you looking for?

           

          I can tell you that yes, a properly configured filemaker server is secure, regardless of if you're using filemaker native or active directory security. i have not had a "security team" perform testing, but have had both whitebox and blackbox testing performed on WD to try and bypass logins to access data, and have confirmed secure access.

           

          Solution requirements can vary wildly depending on your needs. In most of my cases, a native filemaker security account for webdirect users is more easily implemented than AD for our needs. This keeps the filemaker WD side detached from your AD server.

           

          Are you trying to use WD as a thin client for an enterprise level application? If so, have you thought about the limitations of WD vs. using FMP for your users?

           

          With the different licensing options out there, sometimes FMP is still the right choice over WD.

          • 2. Re: Web Direct Security
            Mike_Mitchell

            I can't speak for Katy's need, but I do know that IWP showed several vulnerabilities to web scanning tools used by our COMPSEC teams. I'd be curious to know if WD did better as well.

             

            Typical tools look for vulnerabilities such as IP spoofing, cross-site request forgery, XSS, SQL injection, credential passing in clear text, and so forth. (I won't comment on the number of false positives they typically generate ...)  

             

            Edit: The tools I've seen will do things like monkey with GET or POST parameters, insert phony headers, inject various strings into the request string, etc. In other words, it directly messes with the HTTP request / reply exchange to see what it gets back. Don't know if your testing is similar.

            • 3. Re: Web Direct Security
              kiwikaty

              Hi Mike

               

              Yes that is where my concerns come from. IWP was blacklisted for a project due to x-site issues a couple of years ago so we have been doing all dev using CWP but I have a new project about to be scanned using WD and I am hoping for a better outcome. Mr Blackwell may be able to throw me a lifeline if we get into deep water. It is tricky as unlike CWP if they find issues there is very little we can do to correct. I will post again once we have the results. Wish me luck!

               

              Kind regards

              Katy

              • 4. Re: Web Direct Security
                Mike_Mitchell

                I have a group on site looking at having a WD site set up for scanning purposes. Let’s keep each other posted.