5 Replies Latest reply on Jun 14, 2015 12:01 PM by taylorsharpe

    Devcon - security session


      Saw this on the FBA forum, by Steven Blackwell - by far the most knowledgeable expert on FM security.

      If you are going to Devcon, make sure you attend his session.  If you are not going: consider going, this is vital information.

      Core | FileMaker Developer Conference 2015



      Security Audit of A FileMaker System

      So far in 2015 we seem well on the way to having a record-breaking year for data breaches. Simply stated, we are now in an era of continuous breaches, some of them very significant in terms of the number of, and the sensitivity of, data records exposed. 

      Organizations must expect they will suffer breaches. The question has now become, “How can losses be held to a minimum?” when a breach occurs.  Some observers and information security experts have labeled this concept as the safe breach. While I am not particularly enamored with that terminology, it nevertheless reflects a realistic viewpoint about the state of information security today.

      At the upcoming 20th FileMaker Developer Conference to be held in Las Vegas, Nevada, July 20-23, I am pleased to have the opportunity to present a program entitled “What Would I Find If I Did A Security Audit Of Your FileMaker System?”  This will be on Wednesday, July 22nd at 3:45 PM.

      In over two decades of FileMaker Platform work, through all nineteen prior Developer Conferences I have attended, I have seen a large number of vulnerabilities in deployed FileMaker Platform systems. FileMaker security vulnerabilities usually stem from one or more of four sources. In this session I will review a number of these vulnerabilities and describe how to close them.


      Steven H. Blackwell

      Platinum Member Emeritus

      FileMaker Business Alliance


        • 1. Re: Devcon - security session

          No time to go, unfortunately. Hopefully there is going to be a recording. The topic is essential.

          • 2. Re: Devcon - security session

            YES! this is a serious topic that needs to be disseminated to the masses, not just the DevCon attendees.


            • 3. Re: Devcon - security session

              Good recommendation Wim.  I go to the security session each year at Devcon and it is rather important to keep upon. 


              One thing that I find few FileMaker developers have experience in are written security plans and continuity of operation plans (COOP) for their solutions.  When you get with the big boys (aka, the enterprise level guys), that is just one of the requirements and something often holding back FM being a viable solution if the developer can't provide good documentation.  If you work with the US Government, you always have to have a security plan and they are not simple little 10-20 page reports. 


              And while smaller and medium sized businesses might not need such full documentation, I still recommend light versions of security and COOP plans.  These plans often force companies to assign responsibilities to staff regarding aspects of security from updates, to who makes decisions for each solution, to how security is managed, to who handles backups, scheduled hardware upgrades, plans on how to respond if a breach happens, etc.  Few companies I talk to have tools to know if they have been breached and, if they are, who is responsible for securing their info, minimizing impact, securing the network, and reporting to decisions makers on what happened and potential liabilities of the breach.  These are all things familiar to a CIO, but many FM solutions are with companies too small to have a CIO, let alone full time IT staff.  But it doesn't mean they still shouldn't have response plans. 


              As a developer, these are also additional services that can be offered and companies are becoming more willing to pay for them as necessary part of business. 


              If you want to do some brushing up on security plans, you might look at the US Government's NIST 800-53 "Security and Privacy Controls for Federal Information Systems and Organizations" as well as the ISO 27001/2 international standards of security documentation.  These are all well documented on the internet. 


              I actually thought about applying as a Devcon presenter to go over making a security plan for a FileMaker solution that would meet US Government requirements.  Then again, it would be a rather dry and narrowly focused session. 


              I hope to see many of you at Devcon and the Security Session.  By the way, the Devcon Security session is being taught by Rosemary Tietge and she really is quite knowledgeable!  She is a FileMaker, Inc. employee and technical engineer, as well as a graduate of MIT. 

              • 4. Re: Devcon - security session

                Taylor Sharpe wrote:


                By the way, the Devcon Security session is being taught by Rosemary Tietge


                There are 3 security sessions at Devcon.  The one that I referenced is by Steven Blackwell.  The others are by Rosemary Tietge and Ronnie Rios.


                Agreed with the  main point that even small(er) companies benefit from a structured approach to security.  Same with backups and disaster recovery.  The approaches that work for big enterprise in this area can easily be scaled down and provide a lot of value.

                • 5. Re: Devcon - security session

                  Wim:  There are 3 security sessions at Devcon.  The one that I referenced is by Steven Blackwell.  The others are by Rosemary Tietge and Ronnie Rios.

                  Ahhh... so noted.  Thanks, Wim.  Steven Blackwell has quite a security reputation and I'll plan on attending his too.  Thanks for pointing it out.