14 Replies Latest reply on Mar 2, 2015 2:30 PM by johnnyb

    Corporate Customer FileMaker Security Questions/Answers?

    FileMakerProRocks

      Corporate Customer FileMaker Security Questions

       

      I require answers to the questions below. Would anybody know the correct answers or how / where to get them?

       

      Any FileMaker (Security) Consultant happy to help?

       

      Any help would be appreciated!! Thanks.

       

      Background:

      FileMaker Server 13 on Mac OS X, FileMaker Pro 13 and FileMaker Go 13

      Customer totally Windows / PC, no OS X

       

       

      A) FileMaker Security Questions

       

      1.1 General Questions:

       

      a.      What are the processes (e.g. ISO 9000, CMMI,) methods, tools (e.g., IDEs, compilers), techniques, etc. used to produce and transform the software?

      Answer:

       

      b.      What software security standards are being practiced, if any?  (e.g., ISO 27001, COBIT, ISO 15408)?

      Answer:

       

      c.      ......

       

      d.      ......

       

      e.      Are there any third party software utilized as part of this software such as libraries, frameworks, components, and other products, whether commercial, free, open source or closed source?  If yes, identify all third party software and how do you assess the security impact of such components?

      Answer: OS X 10.10 / IOS 8 / FileMaker Platform

       

      f.      Has the security of your software have been verified by a third party security agency?  How frequently is the assessment performed? What methodology do third parties use to conduct security assessments on your software products?  Can you provide the name of the security agency and latest summary findings report?     

      Answer:

       

      g.      ......

       

      1.2 Secure Development:

       

      h.      Which Secure Development Lifecycle practice does your development team adhere to?  Briefly explain how SDL is practiced throughout the application development life cycle.

      Answer:

       

      i.        What threat assumptions were made for the subject software, if any?

      Answer:

       

      1.3 Security Management:

       

      j.        ....

       

      k.      What are the top vulnerabilities that the software product is tested against? What is the basis for choosing these vulnerabilities?

      Answer: None

       

      l.      How are reports of defects, vulnerabilities and security incidents involving the software product, collected, tracked, prioritized and addressed? What is a vulnerability to patch delivery time frame?

      Answer:

       

      m.    What is your policy for disclosing security vulnerabilities? How and when customers are notified?

      Answer:

       

      n.      What is your patch release strategy? How patches are distributed and how are patches tested prior to release and can it be rolled back?  If there is any patches it will deployed manually.

       

      1.4 Authentication:

       

      o.      What directory services does the software integrate with for authentication?

      Answer:

       

      p.      Is authentication being performed over a secure connection? How is this being achieved?

      Answer:

       

      q.    ......

       

      r.      What authentication controls are implemented in order to secure the user authentication process? None

       

      1.5 Authorization:

       

      s.      How is access control designed and implemented by the software?

      Answer:

       

      t.      Does the system provide the ability to set an expiration date for authorization?

      Answer:

       

      u.      What are the authorization roles provided by the software? Indicate which roles can perform authorization functions. Can the authorization roles be customized?

      Answer:

       

      v.      How does the software validate user authorization? How is the client machine and the server involved in the authorization? How does the system behave if it cannot confirm user authorization due to resource availability issue (e.g. network failure)?

       

      1.6 Session Management:

       

      w.    How does the software manage user sessions?

      Answer:

       

      x.      How can session timeout be set in the application?

      Answer:

       

      y.      Does the system use session IDs? How do session IDs get generated, stored and transmitted?

      Answer:

       

      z.      Does the application allow concurrent sessions? Does it allow concurrent sessions to be disabled? If so, how to disable concurrent sessions?

      Answer:

       

      aa.  What session management controls are implemented in order to secure the application?

       

      1.7 Data Validation:

       

      bb.  How is data validation designed and implemented in the application?

      Answer:

       

      cc.  How is data from the user encoded?

      Answer:

       

      dd.  How does the system protect against Cross Site Scripting and Injection attacks? If the system uses any databases, how does the system protect against SQL Injection?

      Answer:

       

      ee.  If the system allows files to be uploaded to the system, how are these files verified?

      Answer:

       

      1.8 Error Handling:

       

      ff.      How does the system handle errors in the application?

      Answer:

       

      gg.  What kinds of errors are displayed to the user? Provide samples.

      Answer:

       

      hh.  What controls exist to ensure the software recovers securely from errors?

      Answer:

       

      1.9 Logging:

       

      ii.      What types of logs does the software keep?

      Answer:

       

      jj.      How do logs get accessed? Where are they stored? Which roles have access to each type of log?

      Answer:

       

      kk.  Which logs contain business related sensitive information? Which logs contain system health information?

      Answer:

       

      ll.      What is the format of the log? Can the format be customized? Does the vendor provide a parser for the log to be integrated with centralized monitoring systems?

      Answer:

       

      1.10 Data Protection:

       

      mm.          What information is considered sensitive in the application, and how is it being protected? How are user credentials handled?

      Answer:

       

      nn.  What information is kept at the client machine? Is this information cached temporarily or kept permanently, and how can this information be regenerated?

      Answer:

       

      oo.  What encryption and hashing algorithms are used by the application? What are they used to protect?

      Answer:

       

      pp.  Is data being protected during storage? How is this being achieved?

      Answer:

       

      qq.  How does the application pass data across the application? What strategy is used to decide what gets passed through GET requests, POST requests, cookies, hidden form fields, etc.

      Answer:

       

      rr.    Does the application have any demo or user configuration set up? If so, what is the process of removing these users or configurations?

      Answer:

       

      ss.    Does the application protect against clickjacking? If so, how does it achieve that?

      Answer:

       

       

      -------------------

       

      Side note

       

      Known Supporting documents / links:

       

      Protecting Deployed FileMaker Platform Systems in the Age of Cyber Attacks - FMForums

       

      http://help.filemaker.com/ci/fattach/get/104213/0/filename/security_guide_en_13_final.pdf

       

      http://www.filemaker.com/downloads/documentation/fm12_security_guide_en.pdf

       

      Using Encryption At Rest (EAR) functionality with FileMaker products | FileMaker

        • 1. Re: Corporate Customer FileMaker Security Questions/Answers?
          schamblee

          Filemaker is a design application, where you design the database to meet your needs.  Security can be as strong or weak as you create it.  I suggest reading the links you posted at the bottom of your post.   You can add all kinds of third party plug-ins to your database or use a third party database, whatever  you want to purchase and add, there is no way filemaker or anyone else can tell you about every product on the market for Filemaker.  If you want to add the third party software to your database or use a third party database, I suggest you contact that company and ask them about there software.  You wrote a book with basically the same questions,  and all deal with security and being hacked.  There is no way that a product can be risk free, it is not possible.  Filemaker is used by major corporations all over the world. Security goes further than just Filemaker, any software on your computer can be hacked, so you would need Anti-Virus software, Spyware and a firewall.   Filemaker is not going to give out information on updates that may or may not come out.  Filemaker comes with starter solution databases that are samples to get you started and yes some of these starter solution are designed by third parties, they are example of what can be done with filemaker.   The question you posted on here are better answered by the company that designs the database you plan to use.  If you use the security setup with filemaker,  with your computer or device, setup anti-virus software, and setup your firewall then you should be as save as anyone can be.

          • 2. Re: Corporate Customer FileMaker Security Questions/Answers?
            FileMakerProRocks

            Thanks chamblee. Nice try. However, this does not help. My boss would say: "Are you part of the problem or part of the solution" I am rather looking for a knowledgeable 'pragmatic' FileMaker Consultant who can actually help me.

             

            Anybody? Thanks!

            • 3. Re: Corporate Customer FileMaker Security Questions/Answers?
              schamblee

              I am very knowledgeable of Filemaker and other software and I am a consultant.   As I said these question can only be answer by the person that designed your database not Filemaker.  Only the company that designed your database can tell you what security they setup and what third party plug-ins they used. There are millions of 3rd party plug-ins / add on. Only the company that setup your network can tell you about the security of your network.  If you are using a hosting company to host your database then only the hosting company can tell you about their security on their network.  The other information about how data gets past, again this is a question that can only be answered by the company that designed the database you are using.  There are hundreds of different ways a task can be done in Filemaker.   Your network and your operating system has just as much to do with security, if not more than Filemaker.   Find the product you are interested in purchasing and then contact that company with your question.   You can ask the company that made the tires for your car about how much horsepower the car has, miles per gallon, crash test and safety inspection of the vehicle but only the company that build the car can tell you those answer.

              • 4. Re: Corporate Customer FileMaker Security Questions/Answers?
                BruceHerbach

                I can see your bosses opinion. However it is you or the developers your company hired that have to be the solution.

                 

                Another approach could be to hire a developer to come in and analyze your database. It may take a bit of time and a full access account to go through your database and answer the questions posed here.

                 

                Without out looking at the database and the security setup there is no way we can answer these questions.

                • 5. Re: Corporate Customer FileMaker Security Questions/Answers?
                  FileMakerProRocks

                  Ok, I would like to close this threat as it may not lead to the expected results. I will open a new discussion and rephrase the questions. Thank you.

                  • 6. Re: Corporate Customer FileMaker Security Questions/Answers?

                    Quite a few of your questions are best answered by the FileMaker engineers and I am not sure that the support staff knows the answers. Most are beyong FileMaker developers, even the 'certified' ones.

                     

                    Interesting to note is that no matter how much effort is put into the design of the product, the developers security setup and even if everything from the software point of view is perfect, humans still violate security protocols, share passwords and even produce hack attacks that bypass the security protocols.

                     

                    FileMaker was never designed to be secure just like most software in use. Use it on a LAN or WAN, wireless or cellular and like anything else it becomes insecure.

                     

                    All security can only provide security against the unschooled. The highly experienced will find a way in. For instance, the esc key. I wonder how many developers know that it can be used to stop their scripts.

                     

                    I have seen many newbie databases on shared hosts that allow guest access and some aren't even password protected.

                     

                    You could use Access or xBase and leave all of your files open on your drives so they can be read with a text editor... 

                     

                    The fact that the question was asked in the wrong place must have some significance...

                    • 7. Re: Corporate Customer FileMaker Security Questions/Answers?
                      schamblee

                      Only a few of the question could have been answered by Filemaker Inc. and I'm sure they would not because that information would be trade secrets and the software would still be only as secure as the network, the computers on the network, and the database itself.  Filemaker is a reputable company owned by Apple, which is also known to build secured operating systems.  The only other issues left would be the issues stated above.  The best option then would be to hirer a network consultant and a Filemaker consultant that designed the database you plan to use.  Most companies have references, if they don't then you may need to select a new consultant.

                      • 8. Re: Corporate Customer FileMaker Security Questions/Answers?
                        Mike_Mitchell

                        "FileMaker was never designed to be secure"

                         

                        The developer of Kerberos disagrees.

                         

                        Please do not make patently false statements, especially to newbies.

                        • 9. Re: Corporate Customer FileMaker Security Questions/Answers?

                          The developer of Keberos is not involved in the creation of FIleMaker Pro. Please respond to my statement without misdirection. I never mentioned any of the numerous third party apps that make up FileMaker.

                           

                          Please do not accuse me of making false statements by using such false techniques.

                           

                          I wrote a serious reply but decided to make it a blog post rather than a forum post.

                           

                          The hacker world is filled with exploits for overcoming the various IT methods of security. So, please don't make such patently false statements yourself...

                           

                          If you are unaware of FileMakers security weaknesses, I am available for consultation

                          • 10. Re: Corporate Customer FileMaker Security Questions/Answers?
                            Mike_Mitchell

                            The developer of Kerberos was involved in a third-party evaluation of FileMaker’s security … and liked it. (Compared against industry practices.) Considering he is a recognized computer security expert, I consider that to have some weight. There’s nothing “false” in citing his evaluation.

                             

                            You are correct in stating that most security breaches come about as a result of faulty implementation. However, your tactic here is to claim the equivalent of, “I left my key in my door, so Master Lock must not be designed securely.” That would be a “false” statement, and I see nothing wrong in calling you out on it.

                            • 11. Re: Corporate Customer FileMaker Security Questions/Answers?
                              schamblee

                              I agree Mike, Filemaker is designed to be more secured than most other software because it was designed with it own networking which requires a level of security.  Excel or other software doesn't have this much security because they let the OS handle security.  I think jackrodgers was meaning that most breaches occur because of the user carelessness.  I agree that most hacks occur by the user basically giving there keys away without knowing they done so.   It doesn't matter if you have the most secure lock in the world, if you give the key away because you still responsible for that data or making the payments on the car.   

                              • 12. Re: Corporate Customer FileMaker Security Questions/Answers?
                                Mike_Mitchell

                                Agreed. The problem with Jack’s statement is it gives the casual user the impression that FileMaker is inherently insecure, which it is not. A bank vault is insecure if you leave the door open. No security works if you don’t use it, but that doesn’t mean the system is flawed.

                                • 13. Re: Corporate Customer FileMaker Security Questions/Answers?

                                  FileMaker's internal security system is flawed. Absolutely.

                                   

                                  First, the total lack of enforcing a reqjirement that the user create a security system.

                                  Next, permitting an unlimited number of [Full Access] accounts and no master control account that cannot be manipulated by anyone else.

                                  Next, allowing an unlimited number of users to use the same account name at the same time.

                                  Next, failing to provide the [Full Account] user with accurate information on the comings and goings, etc.

                                  Next, failing to provide sufficient and quality tools for identifying the user.

                                  Next, failing to provide the ability to determine if there is an internet connection, maybe I have overlooked this.

                                  Next, I have created my own system of watching logins come and go. FileMaker's lack of tools limits my ability.

                                  Next, a very important tool is to identify where the user is located and there are some functions to help with that. Would a business not like to know if one of their salesmen were sitting in the competitors office and scanning through prices, customers, etc?

                                  ...

                                  Next, there are a lot of poorly designed files hosted on the Internet containg peoples private financial information that can be accessed using the Guest account. I found one with 50,000 arrest records and sent a note advising...

                                   

                                  My most interesting moment was conversing with an IT guy a client had hired. I questioned him about how FileMaker Server was set up. He explained he knew nothing about FIleMaker but had read the instructions and set all of the ports and the Server was secure from the outside world after I asked about that. I then told him I found the IP address in a book the client let me look at and had logged in through free WiFi at Burger King.

                                   

                                  Another self_grandizing IT guy took half an hour explaining to me how much of a genius he is (I made perfect scores on my finals in all of my Geometry classes). Then he sent a new hire to set up the FileMaker Server rather than letting me do it. The guy grabbed an older comptuter that had been removed from service when the client's staff let in the viruses. He used a $60 drive as backup. Constant failures and I got the heat.

                                   

                                  When Java first appeared, after reading the self_promoting ads I studied the code capabilit and was shocked to see how much power was given to amateur web designers. I posted on a forum that I was waiting to see what the first hack would be and how serious it would be. I was put down by people who quoted the ads and comments of writers who quoted the ads. I have yet to receive any email from any of those people saying, "You were right." Maybe it gets crunched by the daily Java security updates?

                                   

                                  I think the fact that an unlimited number of people can be given [Full Access] accounts secretely with the developer or management failing to notice is a possibility.

                                   

                                  I can go on but you see where I am coming from when I say what I did.

                                   

                                  A better analogy than the key in the master lock is the electronic clickers on our key chains that open our cars. I once had the fascinating experience of trying to open my Honda while causing the Pontiac behind me to lock its doors and beep. The owner looked perplexed.

                                   

                                  I have been working on and off with a table to track logins. It caught one former developer loging in using the owner's password... 

                                   

                                  With a little flattery I might post the table. It only requires one line of perform script to activate a login from any other file.

                                  • 14. Re: Corporate Customer FileMaker Security Questions/Answers?
                                    johnnyb

                                    All these access control functions you describe are the province of the developer's application or of external facilities, like LDAP.

                                     

                                    "Security" is of course a fairly broad term. Used properly, a FileMaker Pro solution can be quite secure, by many definitions of the term. At the same time, a determined attacker can compromise any system.

                                     

                                    Sweeping claims of the kind you're making here apply to a great many software systems. If you can identify security policies that must be implemented in the application rather than in the framework, that's fine, but it's not the same thing as FileMaker Pro's security being flawed in any "absolute" sense.