Skip to content
View in the app

A better way to browse. Learn more.
FMForums.com

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

FileMaker Security Blog

A blog by Steven H. Blackwell in Affiliate Blogs

  • Entries

    45

  • Comments

    63

  • Views

    162,951

About this blog

Discusses issues of Confidentiality, Integrity, and Availability of FileMaker Pro databases.

Entries in this blog

2020 To Be Year of Challenges

This year 2020 will be one of Change and Challenge for the Claris FileMaker Community. It will require Commitment, Confidence, and Community Effort to see it to a successful conclusion. Herewith, in outline form, are some of the Challenges I foresee we will face:     1.            We will need to develop a finer level of audit logging of Personally Identifiable Information (PII).  Most logs currently focus on system level activity.  A finer level of focus will assist in achiev

A Forward Look About FileMaker Platform Security

A Forward Look About FileMaker Platform Security Developers and users of the FileMaker Workplace Innovation Platform must be concerned about security of their deployed solutions. Likewise, they must have a forward-looking perspective about key issues in this arena. Security has its major purpose the preservation of Confidentiality, Integrity, Availability, and Resilience (CIAR) of their systems.  Liabilities resulting from breaches can substantially affect continued business operations

Federated Identity Management, Zero Trust, And The FileMaker Platform

The face of computing and data access has changed enormously over the past decade. In an always-on, connect-from-anywhere, mobile-device-driven world, the network perimeter has disappeared.  With that disappearance has come a variety of new security and business process challenges to the Confidentiality, Integrity, Availability, and Resilience of organization digital assets.  Coupled with growing regulatory strictures, business reputation management requirements, and customer or client trust, mo

What Is Account Lockout?

The new version of the FileMaker Platform contains a new feature called Account Lockout.  This feature’s purpose is to help thwart brute force attacks against hosted files.  Such attacks try a large number of passwords against an Account in an attempt to gain access to the file. Here are a few key points about this new feature: v It works for files hosted on FileMaker® Server 17 only.  It does not work for files hosted on earlier versions of FileMaker Server or for stand-alone files.

FIVE EMERGING TRENDS FOR 2018 WILL IMPACT SECURITY OF THE FILEMAKER PLATFORM

With the advent of a new Fiscal Year for the FileMaker Developer Community, we will experience five emerging trends in FileMaker Information Security.  Each of these will likely have specific impact on developers, on our clients, on the Platform, and on the larger business environment in which we operate. Cumulatively and symbiotically, the magnified impact of the five will have the potential to alter many long-standing practices and conventions. What are these five trends?  How will they i

FileMaker DevCon To Convene Against Backdrop Of Cyber-Attacks Across The Globe

FileMaker DevCon To Convene Against Backdrop Of Cyber-Attacks Across The Globe     July 18th 2017     In just a few days, four generations of FileMaker developers and users from all over the world will gather for the 22nd Annual FileMaker DevCon, held this year in Phoenix, Arizona. We will do so against an unprecedented backdrop of critical security issues facing businesses and organizations all over the world.  Organizations of all sizes and from every bu

OAuth2 Accounts Log-In FileMaker 16 Platform

There have been a number of reports of developers having difficulty logging into FileMaker® Pro 16 files with OAuth2 based Accounts once they have set up the services on FileMaker® Server 16. Briefly to review, developers can now specify Amazon, Google, or Azure Active Directory Accounts to validate Identity Assertions and gain admission to the file.  However, users must understand that when using these OAuth2  Accounts that they do not enter the credentials in the normal place in the dia

Behavior Change API Privileges In Version 16

One of the best new security features in the FileMaker 16 Platform is that, by default, several external Application Program Interfaces (APIs) are off and disabled.  AppleEvents, ActiveX, and FMPURL Perform Script are all still there.  But developers must specifically select and enable them. This feature prevents unauthorized manipulation and interaction with FileMaker Pro files, both stand-alone and hosted by FileMaker Server.  Such manipulation can be used to alter data, destroy data, cre

Version 16 Brings Major New Security Features

FileMaker 16 Platform Brings Significant New Security Features       The release of Version 16 of the FileMaker Platform brings with it a host of new security features reaching across the entire FileMaker Platform, from FileMaker® Server 16 to FileMaker® Pro 16 to WebDirect™ and beyond. There are new controls on the use of three external Application Programming Interfaces (API’s): AppleEvents, ActiveX, and FMPURL.  These controls significantly strengthen security

SECURITY VULNERABILITIES OF FILEMAKER PLATFORM API’S: AN UPDATE

Security Vulnerabilities of FileMaker Platform API’s:  An Update  January 9th 2017 In an April 2016 entry on this BLOG titled The FileMaker Platform API’s Are Your Friends, Right? [http://fmforums.com/blogs/entry/1535-the-filemaker-platform-api’s-are-your-friends-right/] I discussed a number of FileMaker Platform security issues centered on the uncontrolled use of a number of external Application Program Interfaces (API’s). There are at least nine of these API, possibly more, if E

FileMaker Cloud

I am very excited about the advent today of FileMaker Cloud. It is an excellent addition to the overall FileMaker Platform. Even in Version 1.0 we can see major benefits and uses for FileMaker Cloud. Over time and in succeeding versions, I believe these will get even better. It is scalable, both up and down. It can meet rapidly changing needs for infrastructure to support FileMaker-based business management systems. It is secure. Your files are encrypted. And data in transit are al

Protecting FileMaker Platform Business Solutions

Protecting FileMaker Platform Business Solutions FileMaker Platform developers and FileMaker Server Administrators, as well as business data owners, need to take a variety of steps to protect the Confidentiality, Integrity, Availability, and Resilience (CIAR) of their FileMaker Platform Business Solutions. Threat Agents of many varieties seek to exploit vulnerabilities that might exist in those solutions to compromise them, to steal data, to alter data, or to destroy data. This Fil

Phishing Attacks on FileMaker Platform Files

Phishing Attacks on FileMaker Platform Files Recently I made reference in several venues to an article that described a sophisticated and interesting exploit to steal iOS credentials from a stolen Apple iPhone.  You can read the full article here: https://hackernoon.com/this-is-what-apple-should-tell-you-when-you-lose-your-iphone-8f07cf73cf82 The core element of the article was that when the owner discovered the theft that he activated “…all the ‘send me email when the phone retur

Edit Records Privileges

Edit Records Privileges I have heard reports recently about some confusion regarding the behavior of the Edit Records privileges.  These privileges are set in the Privilege Set Custom Privileges area; they are part of the Record Level Access (RLA) privileges for a specific table. Record editing privileges can be set to Yes, No, or Limited. Developers select these options from the drop-down menu under the Edit area in Custom privileges in the Privilege Set. What happens to a user’s priv

New Security Features In Version 15 FileMaker Platform

The release of Version 15 of the FileMaker Platform brings with it a number of new security features, both in FileMaker® Server 15 and in FileMaker® Pro 15.  FileMaker® Pro 15 Advanced also has one notable security enhancement. I have attached to this BLOG post a new White Paper that details and explains a number of these new features as well as offers some recommendations for their effective use. First however, we should take note that in the past several releases that FileMaker, Inc. ha

The FileMaker Platform API’s Are Your Friends, Right?

The FileMaker Platform API’s Are Your Friends, Right? The FileMaker Platform supports integration with a variety of Application Programming Interfaces (API’s), and it has done so for a very long time. These API’s allow FileMaker Platform developers to integrate their solutions with other technologies and applications. This is an incredibly useful capability; indeed, from both technological and business-process standpoints, it is essential. Many FileMaker developers are not aware, howev

Hacking Your Own FileMaker Platform Solutions

Hacking Your Own FileMaker Platform Solutions Should FileMaker Platform developers mount hacking attacks on their own solutions? At first glance, this may seem an odd question. But I believe that the answer is “Yes, we should.” Consider this. As developers we see our solutions from a totally different perspective than Threat Agents see them. Without practicing our own hacking skills, we can become blind to the vulnerabilities a Threat Agent can exploit to compromise the Confidentiality

Aligning FileMaker Security Requirements To Business Interests

Aligning FileMaker Security Requirements To Business Interests   March 29th 2016   There has been a considerable amount of discussion recently in various FileMaker Platform venues about database security.  Much of the discussion has focused on the use of one technique or another, and most of those techniques actually detract from the security of FileMaker systems rather than enhance security. Absent from these discussions, however, has been any description of

Emerging Security Trends Affect FileMaker Platform

Emerging Trends in Information Security Affect FileMaker Platform   By Steven H. Blackwell March 17th 2016 The recently concluded annual RSA Security Conference showcased a number of important emerging trends in Information Security that likely will affect FileMaker Platform developers and Administrators of FileMaker Platform systems. In this BLOG entry, I will describe some of these and offer some observations about how they might apply to the FileMaker Platform.

Some Vulnerabilities Associated With Ersatz Log-On Systems

Some Vulnerabilities Associated With Ersatz Log-On Systems   October 29th 2015   My recent post [http://fmforums.com/blogs/entry/1410-new-paradigms-in-filemaker-platform-security/] on this BLOG about New Paradigms in FileMaker Platform Security has apparently occasioned a good deal of discussion in various FileMaker-related venues. Much of this reportedly has focused on the ersatz systems that I recommended be avoided. Many persons seem to have asserted that they use such systems for

New Paradigms In FileMaker Platform Security

New Paradigms In FileMaker Platform Security October 19th 2015     Traditionally, the framework for Information Security management has focused on activities designed to preserve the Confidentiality, Integrity, and Availability (CIA) of digital assets, and, on occasion, of physical IT infrastructure assets. That focus must now shift; in fact, it is already shifting.   By way of a brief review, CIA focuses on three elements:            Confidentiality focuses on preventing unauthorized ac

FileMaker 14 Platform Brings New Security Features

FileMaker 14 Platform Brings New Security Features The newly released FileMaker 14 Platform contains a number of security enhancements, at least one of which has significant potential to strengthen Platform security and to close a significant vulnerability. For many years users of FileMaker Pro on the Macintosh OS platform have been able to save database credentials in the Macintosh KeyChain.  And with the advent of Windows 7, FileMaker Pro users have also been able to save credentials in the

Protecting Deployed FileMaker Platform Systems in the Age of Cyber Attacks

The recent cyber attack on Sony Pictures serves as a new, additional, and very loud wake-up call for businesses all over the world about the need to protect digital assets. Organizations who use the FileMaker Platform to manage their businesses and whose databases contain proprietary and sensitive information, business process control methods, or financial data especially need to be diligent about data protection. If you are a small business, an education institution, a not-for-profit organizati

An Exploit-Based Approach To Providing FileMaker Platform Security

Over the past dozen years, I have discussed in a number of venues the necessity for robust security practices and the techniques needed to implement them on the FileMaker Platform. Such discussions have as their underlying framework a fairly traditional Information Security paradigm. There are Threat Agents who seek to initiate Exploits or Threats that negatively Impact the Confidentiality, Integrity, and Availability of FileMaker Platform systems or other Digital Assets. These attacks also

Important Information

By using this site, you agree to our Terms of Use.

I accept

Account

Navigation

Search

Search

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.