AnsweredAssumed Answered

Corporate Customer FileMaker Security Questions/Answers?

Question asked by FileMakerProRocks on Feb 27, 2015
Latest reply on Mar 2, 2015 by johnnyb

Corporate Customer FileMaker Security Questions

 

I require answers to the questions below. Would anybody know the correct answers or how / where to get them?

 

Any FileMaker (Security) Consultant happy to help?

 

Any help would be appreciated!! Thanks.

 

Background:

FileMaker Server 13 on Mac OS X, FileMaker Pro 13 and FileMaker Go 13

Customer totally Windows / PC, no OS X

 

 

A) FileMaker Security Questions

 

1.1 General Questions:

 

a.      What are the processes (e.g. ISO 9000, CMMI,) methods, tools (e.g., IDEs, compilers), techniques, etc. used to produce and transform the software?

Answer:

 

b.      What software security standards are being practiced, if any?  (e.g., ISO 27001, COBIT, ISO 15408)?

Answer:

 

c.      ......

 

d.      ......

 

e.      Are there any third party software utilized as part of this software such as libraries, frameworks, components, and other products, whether commercial, free, open source or closed source?  If yes, identify all third party software and how do you assess the security impact of such components?

Answer: OS X 10.10 / IOS 8 / FileMaker Platform

 

f.      Has the security of your software have been verified by a third party security agency?  How frequently is the assessment performed? What methodology do third parties use to conduct security assessments on your software products?  Can you provide the name of the security agency and latest summary findings report?     

Answer:

 

g.      ......

 

1.2 Secure Development:

 

h.      Which Secure Development Lifecycle practice does your development team adhere to?  Briefly explain how SDL is practiced throughout the application development life cycle.

Answer:

 

i.        What threat assumptions were made for the subject software, if any?

Answer:

 

1.3 Security Management:

 

j.        ....

 

k.      What are the top vulnerabilities that the software product is tested against? What is the basis for choosing these vulnerabilities?

Answer: None

 

l.      How are reports of defects, vulnerabilities and security incidents involving the software product, collected, tracked, prioritized and addressed? What is a vulnerability to patch delivery time frame?

Answer:

 

m.    What is your policy for disclosing security vulnerabilities? How and when customers are notified?

Answer:

 

n.      What is your patch release strategy? How patches are distributed and how are patches tested prior to release and can it be rolled back?  If there is any patches it will deployed manually.

 

1.4 Authentication:

 

o.      What directory services does the software integrate with for authentication?

Answer:

 

p.      Is authentication being performed over a secure connection? How is this being achieved?

Answer:

 

q.    ......

 

r.      What authentication controls are implemented in order to secure the user authentication process? None

 

1.5 Authorization:

 

s.      How is access control designed and implemented by the software?

Answer:

 

t.      Does the system provide the ability to set an expiration date for authorization?

Answer:

 

u.      What are the authorization roles provided by the software? Indicate which roles can perform authorization functions. Can the authorization roles be customized?

Answer:

 

v.      How does the software validate user authorization? How is the client machine and the server involved in the authorization? How does the system behave if it cannot confirm user authorization due to resource availability issue (e.g. network failure)?

 

1.6 Session Management:

 

w.    How does the software manage user sessions?

Answer:

 

x.      How can session timeout be set in the application?

Answer:

 

y.      Does the system use session IDs? How do session IDs get generated, stored and transmitted?

Answer:

 

z.      Does the application allow concurrent sessions? Does it allow concurrent sessions to be disabled? If so, how to disable concurrent sessions?

Answer:

 

aa.  What session management controls are implemented in order to secure the application?

 

1.7 Data Validation:

 

bb.  How is data validation designed and implemented in the application?

Answer:

 

cc.  How is data from the user encoded?

Answer:

 

dd.  How does the system protect against Cross Site Scripting and Injection attacks? If the system uses any databases, how does the system protect against SQL Injection?

Answer:

 

ee.  If the system allows files to be uploaded to the system, how are these files verified?

Answer:

 

1.8 Error Handling:

 

ff.      How does the system handle errors in the application?

Answer:

 

gg.  What kinds of errors are displayed to the user? Provide samples.

Answer:

 

hh.  What controls exist to ensure the software recovers securely from errors?

Answer:

 

1.9 Logging:

 

ii.      What types of logs does the software keep?

Answer:

 

jj.      How do logs get accessed? Where are they stored? Which roles have access to each type of log?

Answer:

 

kk.  Which logs contain business related sensitive information? Which logs contain system health information?

Answer:

 

ll.      What is the format of the log? Can the format be customized? Does the vendor provide a parser for the log to be integrated with centralized monitoring systems?

Answer:

 

1.10 Data Protection:

 

mm.          What information is considered sensitive in the application, and how is it being protected? How are user credentials handled?

Answer:

 

nn.  What information is kept at the client machine? Is this information cached temporarily or kept permanently, and how can this information be regenerated?

Answer:

 

oo.  What encryption and hashing algorithms are used by the application? What are they used to protect?

Answer:

 

pp.  Is data being protected during storage? How is this being achieved?

Answer:

 

qq.  How does the application pass data across the application? What strategy is used to decide what gets passed through GET requests, POST requests, cookies, hidden form fields, etc.

Answer:

 

rr.    Does the application have any demo or user configuration set up? If so, what is the process of removing these users or configurations?

Answer:

 

ss.    Does the application protect against clickjacking? If so, how does it achieve that?

Answer:

 

 

-------------------

 

Side note

 

Known Supporting documents / links:

 

Protecting Deployed FileMaker Platform Systems in the Age of Cyber Attacks - FMForums

 

http://help.filemaker.com/ci/fattach/get/104213/0/filename/security_guide_en_13_final.pdf

 

http://www.filemaker.com/downloads/documentation/fm12_security_guide_en.pdf

 

Using Encryption At Rest (EAR) functionality with FileMaker products | FileMaker

Outcomes