This year 2020 will be one of Change and Challenge for the Claris FileMaker Community. It will require Commitment, Confidence, and Community Effort to see it to a successful conclusion. Herewith, in outline form, are some of the Challenges I foresee we will face:
1. We will need to develop a finer level of audit logging of Personally Identifiable Information (PII). Most logs currently focus on system level activity. A finer level of focus will assist in achiev
A Forward Look About FileMaker Platform Security
Developers and users of the FileMaker Workplace Innovation Platform must be concerned about security of their deployed solutions. Likewise, they must have a forward-looking perspective about key issues in this arena.
Security has its major purpose the preservation of Confidentiality, Integrity, Availability, and Resilience (CIAR) of their systems. Liabilities resulting from breaches can substantially affect continued business operations
The face of computing and data access has changed enormously over the past decade. In an always-on, connect-from-anywhere, mobile-device-driven world, the network perimeter has disappeared. With that disappearance has come a variety of new security and business process challenges to the Confidentiality, Integrity, Availability, and Resilience of organization digital assets. Coupled with growing regulatory strictures, business reputation management requirements, and customer or client trust, mo
The new version of the FileMaker Platform contains a new feature called Account Lockout. This feature’s purpose is to help thwart brute force attacks against hosted files. Such attacks try a large number of passwords against an Account in an attempt to gain access to the file.
Here are a few key points about this new feature:
v It works for files hosted on FileMaker® Server 17 only. It does not work for files hosted on earlier versions of FileMaker Server or for stand-alone files.
With the advent of a new Fiscal Year for the FileMaker Developer Community, we will experience five emerging trends in FileMaker Information Security. Each of these will likely have specific impact on developers, on our clients, on the Platform, and on the larger business environment in which we operate. Cumulatively and symbiotically, the magnified impact of the five will have the potential to alter many long-standing practices and conventions.
What are these five trends? How will they i
FileMaker DevCon To Convene
Of Cyber-Attacks Across The Globe
July 18th 2017
In just a few days, four generations of FileMaker developers and users from all over the world will gather for the 22nd Annual FileMaker DevCon, held this year in Phoenix, Arizona. We will do so against an unprecedented backdrop of critical security issues facing businesses and organizations all over the world. Organizations of all sizes and from every bu
There have been a number of reports of developers having difficulty logging into FileMaker® Pro 16 files with OAuth2 based Accounts once they have set up the services on FileMaker® Server 16.
Briefly to review, developers can now specify Amazon, Google, or Azure Active Directory Accounts to validate Identity Assertions and gain admission to the file. However, users must understand that when using these OAuth2 Accounts that they do not enter the credentials in the normal place in the dia
One of the best new security features in the FileMaker 16 Platform is that, by default, several external Application Program Interfaces (APIs) are off and disabled. AppleEvents, ActiveX, and FMPURL Perform Script are all still there. But developers must specifically select and enable them.
This feature prevents unauthorized manipulation and interaction with FileMaker Pro files, both stand-alone and hosted by FileMaker Server. Such manipulation can be used to alter data, destroy data, cre
FileMaker 16 Platform Brings Significant New Security Features
The release of Version 16 of the FileMaker Platform brings with it a host of new security features reaching across the entire FileMaker Platform, from FileMaker® Server 16 to FileMaker® Pro 16 to WebDirect™ and beyond.
There are new controls on the use of three external Application Programming Interfaces (API’s): AppleEvents, ActiveX, and FMPURL. These controls significantly strengthen security
Security Vulnerabilities of FileMaker Platform API’s: An Update
January 9th 2017
In an April 2016 entry on this BLOG titled The FileMaker Platform API’s Are Your Friends, Right? [http://fmforums.com/blogs/entry/1535-the-filemaker-platform-api’s-are-your-friends-right/] I discussed a number of FileMaker Platform security issues centered on the uncontrolled use of a number of external Application Program Interfaces (API’s). There are at least nine of these API, possibly more, if E
I am very excited about the advent today of FileMaker Cloud. It is an excellent addition to the overall FileMaker Platform. Even in Version 1.0 we can see major benefits and uses for FileMaker Cloud. Over time and in succeeding versions, I believe these will get even better.
It is scalable, both up and down. It can meet rapidly changing needs for infrastructure to support FileMaker-based business management systems.
It is secure. Your files are encrypted. And data in transit are al
Protecting FileMaker Platform Business Solutions
FileMaker Platform developers and FileMaker Server Administrators, as well as business data owners, need to take a variety of steps to protect the Confidentiality, Integrity, Availability, and Resilience (CIAR) of their FileMaker Platform Business Solutions. Threat Agents of many varieties seek to exploit vulnerabilities that might exist in those solutions to compromise them, to steal data, to alter data, or to destroy data.
Phishing Attacks on FileMaker Platform Files
Recently I made reference in several venues to an article that described a sophisticated and interesting exploit to steal iOS credentials from a stolen Apple iPhone. You can read the full article here:
The core element of the article was that when the owner discovered the theft that he activated “…all the ‘send me email when the phone retur
Edit Records Privileges
I have heard reports recently about some confusion regarding the behavior of the Edit Records privileges. These privileges are set in the Privilege Set Custom Privileges area; they are part of the Record Level Access (RLA) privileges for a specific table.
Record editing privileges can be set to Yes, No, or Limited. Developers select these options from the drop-down menu under the Edit area in Custom privileges in the Privilege Set. What happens to a user’s priv
The release of Version 15 of the FileMaker Platform brings with it a number of new security features, both in FileMaker® Server 15 and in FileMaker® Pro 15. FileMaker® Pro 15 Advanced also has one notable security enhancement.
I have attached to this BLOG post a new White Paper that details and explains a number of these new features as well as offers some recommendations for their effective use. First however, we should take note that in the past several releases that FileMaker, Inc. ha
The FileMaker Platform API’s Are Your Friends, Right?
The FileMaker Platform supports integration with a variety of Application Programming Interfaces (API’s), and it has done so for a very long time. These API’s allow FileMaker Platform developers to integrate their solutions with other technologies and applications. This is an incredibly useful capability; indeed, from both technological and business-process standpoints, it is essential.
Many FileMaker developers are not aware, howev
Hacking Your Own FileMaker Platform Solutions
Should FileMaker Platform developers mount hacking attacks on their own solutions? At first glance, this may seem an odd question. But I believe that the answer is “Yes, we should.”
Consider this. As developers we see our solutions from a totally different perspective than Threat Agents see them. Without practicing our own hacking skills, we can become blind to the vulnerabilities a Threat Agent can exploit to compromise the Confidentiality
Aligning FileMaker Security Requirements To Business Interests
March 29th 2016
There has been a considerable amount of discussion recently in various FileMaker Platform venues about database security. Much of the discussion has focused on the use of one technique or another, and most of those techniques actually detract from the security of FileMaker systems rather than enhance security.
Absent from these discussions, however, has been any description of
Emerging Trends in Information Security Affect FileMaker Platform
By Steven H. Blackwell
March 17th 2016
The recently concluded annual RSA Security Conference showcased a number of important emerging trends in Information Security that likely will affect FileMaker Platform developers and Administrators of FileMaker Platform systems. In this BLOG entry, I will describe some of these and offer some observations about how they might apply to the FileMaker Platform.
Some Vulnerabilities Associated With Ersatz Log-On Systems
October 29th 2015
My recent post [http://fmforums.com/blogs/entry/1410-new-paradigms-in-filemaker-platform-security/] on this BLOG about New Paradigms in FileMaker Platform Security has apparently occasioned a good deal of discussion in various FileMaker-related venues. Much of this reportedly has focused on the ersatz systems that I recommended be avoided. Many persons seem to have asserted that they use such systems for
New Paradigms In FileMaker Platform Security
October 19th 2015
Traditionally, the framework for Information Security management has focused on activities designed to preserve the Confidentiality, Integrity, and Availability (CIA) of digital assets, and, on occasion, of physical IT infrastructure assets. That focus must now shift; in fact, it is already shifting.
By way of a brief review, CIA focuses on three elements:
Confidentiality focuses on preventing unauthorized ac
FileMaker 14 Platform Brings New Security Features
The newly released FileMaker 14 Platform contains a number of security enhancements, at least one of which has significant potential to strengthen Platform security and to close a significant vulnerability.
For many years users of FileMaker Pro on the Macintosh OS platform have been able to save database credentials in the Macintosh KeyChain. And with the advent of Windows 7, FileMaker Pro users have also been able to save credentials in the
The recent cyber attack on Sony Pictures serves as a new, additional, and very loud wake-up call for businesses all over the world about the need to protect digital assets. Organizations who use the FileMaker Platform to manage their businesses and whose databases contain proprietary and sensitive information, business process control methods, or financial data especially need to be diligent about data protection. If you are a small business, an education institution, a not-for-profit organizati
Over the past dozen years, I have discussed in a number of venues the necessity for robust security practices and the techniques needed to implement them on the FileMaker Platform. Such discussions have as their underlying framework a fairly traditional Information Security paradigm.
There are Threat Agents who seek to initiate Exploits or Threats that negatively Impact the Confidentiality, Integrity, and Availability of FileMaker Platform systems or other Digital Assets. These attacks also