Wim Decorte, Doug Wallis, Jun 13, 2024, Claris Community Live

1. Introduction
2. The Importance of Security
3. The Security Landscape: Current Threats and Misconceptions
4. Key Concepts: Authentication vs. Authorization
5. Modern Threats: Why Small Businesses Are Not Exempt
6. Understanding Attack Vectors in the FileMaker Ecosystem
7. External Authentication: Best Practices
8. OAuth and OpenID Connect: Modern Security Standards
9. Using Multi-Factor Authentication (MFA) for Enhanced Security
10. Passwordless Authentication: The Next Step in Security
11. FileMaker Security Configuration: Internal vs. External
12. FileMaker Cloud and Claris ID
13. SSL Certificates: Why They’re Essential
14. Let’s Encrypt and FileMaker 2024: A Game-Changer
15. Implementing Strong Security: Practical Tips
16. Risks of Custom Security Systems
17. Web Viewer Vulnerabilities and Cross-Site Scripting (XSS)
18. Practical Security Scenarios: Real-Life Examples
19. Troubleshooting Security Issues in FileMaker
20. Monitoring and Maintenance: Continuous Security Improvement
21. Resources and Further Reading

1. Introduction

Security in FileMaker development has evolved from a “nice-to-have” feature to an absolute necessity. In the third Claris Community Live event, Rosemary Tietge, along with experts Wim Decorte and Doug Wallis, walked through the most relevant security challenges, solutions, and best practices for FileMaker developers. This session emphasized that keeping your security measures up to date is not just about compliance; it’s about protecting your data, your users, and your reputation. This blog will cover every detail shared during the session and offer insights for building a secure FileMaker environment.

2. The Importance of Security

Security is about more than just protecting your code. It’s about safeguarding data, financial resources, and reputation. Wim highlighted the devastating impact that a security breach can have—not just on data, but also on a company’s reputation. He stressed that a breach could lead to loss of trust, regulatory fines, and in severe cases, the collapse of the company.

Key takeaways on why security is essential:

• Protecting sensitive data: In many industries, the data you handle is sensitive—be it personal information, financial data, or intellectual property.
• Maintaining trust: A secure environment helps you maintain the trust of your clients and stakeholders.
• Regulatory Compliance: GDPR, NIS2, and other regulatory frameworks demand robust security measures.
• Financial and operational stability: Breaches can cause significant downtime and financial losses.

3. The Security Landscape: Current Threats and Misconceptions

One of the highlights of the discussion was the security landscape—what modern threats look like and why traditional security approaches may not be sufficient. Wim used the MITRE ATT&CK Framework to illustrate the complexity of current threats, which often go beyond direct attacks to involve persistence, lateral movement, and exfiltration.

4. Key Threats and Misconceptions:

Commoditized Attacks: Today’s cyber-attacks are often indiscriminate and automated, targeting any vulnerability they find. You don’t need to be a high-profile target; simply having a connected device makes you vulnerable.

1. Perimeter Security Fallacy: The old idea of protecting your network perimeter is outdated. Remote work, mobile devices, and cloud services mean the perimeter is now everywhere.
2. Small Business Myth: Small to mid-sized businesses are often targeted because they tend to have weaker defenses. No organization is too small to be attacked.

Key Concepts: Authentication vs. Authorization

Understanding the difference between authentication and authorization is vital in FileMaker security:

• Authentication: Verifying that a user is who they claim to be. This can involve usernames, passwords, multi-factor authentication, or biometric verification.
• Authorization: Determining what an authenticated user can do within the system. In FileMaker, authorization is managed through Privilege Sets.

5. Modern Threats: Why Small Businesses Are Not Exempt

Wim debunked the myth that smaller businesses are safer due to their lower profile. Automated attacks often target small businesses because they have fewer resources to dedicate to security, making them easier prey. Here are some reasons why small businesses should be vigilant:

• Weak defenses make them attractive to cybercriminals.
• Ransomware often targets businesses that cannot afford downtime.
• Data breaches can have severe reputational impacts, regardless of company size.

6. Understanding Attack Vectors in the FileMaker Ecosystem

FileMaker developers face unique challenges due to the blend of data and code in a single file. Common attack vectors include:

• Credential theft through phishing or weak passwords.
• Malware in container fields, where scripts or files can be hidden.
• Misconfigured privilege sets that can give unintended access.
• Open ports or weak network configurations allowing unauthorized entry.

7. External Authentication: Best Practices

External authentication is the preferred choice for professional FileMaker deployments:

• Centralized User Management: Delegate identity management to specialized providers (e.g., Okta, Azure AD).
• Group-Based Authentication: Use groups for authorization, minimizing the need to manage individual accounts.
• Scalability: External systems are better suited for environments with hundreds or thousands of users.

8. OAuth and OpenID Connect: Modern Security Standards

OAuth 2.0 and OpenID Connect are industry-standard protocols for secure authentication. FileMaker supports these for modern and robust user verification:

• OAuth 2.0 is a protocol for authorization, allowing third-party services to access user information without exposing credentials.
• OpenID Connect builds on OAuth, adding an identity layer for user verification.

By integrating these standards, developers can ensure that user identities are validated securely, minimizing the risk of unauthorized access.

9. Using Multi-Factor Authentication (MFA) for Enhanced Security

MFA adds an additional layer of protection, requiring users to present two or more pieces of evidence (factors) to gain access:

• Something you know (password)
• Something you have (security token, smartphone)
• Something you are (biometrics)

MFA significantly reduces the chances of unauthorized access. For FileMaker solutions, this can be easily integrated through external identity providers supporting MFA.

10. Passwordless Authentication: The Next Step in Security

FileMaker supports passwordless authentication via external providers, using options like:

• Yubikeys and hardware tokens: Devices that generate a one-time passcode (OTP) for access.
• Biometric methods: Fingerprint or facial recognition.
• Magic links or authentication apps: A secure link or app-based confirmation to validate the user’s identity.

11. FileMaker Security Configuration: Internal vs. External

Doug and Wim discussed the advantages and disadvantages of using FileMaker’s internal authentication versus external systems:

• Internal Authentication: Easier for quick setups or offline solutions, but requires regular maintenance to ensure security.
• External Authentication: Offers better scalability, centralized management, and compliance features.

Recommendation: Use internal authentication only for small-scale projects or when operating in environments without constant internet connectivity.

12. FileMaker Cloud and Claris ID

For FileMaker Cloud users, Claris ID offers a built-in, cloud-managed identity solution:

Integration: Currently supports Azure AD and Okta, with plans to expand the list of supported identity providers.

Managed by AWS Cognito: A secure backend with automated security features.

Geolocation and AI: Uses advanced threat detection based on login patterns, device information, and geographical location.

13. SSL Certificates: Why They’re Essential

SSL certificates are critical for encrypting data between the client and server, ensuring secure communication over potentially vulnerable networks. SSL certificates provide:

• Encryption: Protects data in transit, making it unreadable to eavesdroppers.
• Server Validation: Confirms the server’s identity, preventing man-in-the-middle attacks. Decorte explained that SSL certificates are a mandatory requirement for any production FileMaker deployment. Without proper encryption, sensitive data like credentials and business records could be intercepted.

14. Let’s Encrypt and FileMaker 2024: A Game-Changer

The release of FileMaker Server 2024 brought integrated support for Let’s Encrypt, a free and automated certificate authority. This is a significant development because it:

• Removes the cost barrier associated with traditional SSL certificates.
• Automates the renewal process, ensuring that certificates are always up-to-date.
• Simplifies the deployment of SSL, making it accessible for small businesses. Let’s Encrypt has made SSL certificates a commodity, reinforcing the notion that there’s no excuse for not securing a server.

15. Implementing Strong Security: Practical Tips

Decorte and Wallis shared numerous actionable tips for developers to strengthen FileMaker security:

1. Use unique passwords for each FileMaker account.
2. Implement external authentication whenever feasible.
3. Disable the guest account in production environments to reduce attack surfaces.
4. Regularly update FileMaker Server and plugins to patch known vulnerabilities.
5. Use SSL certificates to encrypt data in transit.
6. Audit user privileges frequently to ensure correct access levels.
7. Monitor logs to detect unusual activity or potential intrusions.
8. Backup data regularly, ensuring secure and isolated storage.

16. Risks of Custom Security Systems

Decorte was clear about the dangers of developing custom security solutions within FileMaker. Custom security systems often rely on scripts and internal tables for user management, which can be easily bypassed. Common pitfalls include:

• Lack of encryption: Storing passwords in clear text.
• Misconfigured access controls: Allowing unauthorized access to sensitive data.
• Insecure authentication logic: Relying on scripts to handle login processes. Instead of creating a custom solution, developers should leverage FileMaker’s built-in security features or use external authentication providers, which are specifically designed to manage identities securely.

17. Web Viewer Vulnerabilities and Cross-Site Scripting (XSS)

One of the more technical discussions during the event revolved around the potential vulnerabilities associated with the Web Viewer in FileMaker. Since the Web Viewer can load external JavaScript libraries and execute scripts, it introduces risks such as:

• Cross-Site Scripting (XSS): If a malicious user injects unsanitized HTML into the DOM, they could execute scripts that modify the database.
• Library Poisoning: Using compromised or untrusted JavaScript libraries could expose vulnerabilities. To mitigate these risks, developers should:

1. Host JavaScript libraries locally, avoiding third-party hosting.
2. Sanitize all user inputs before they are rendered.
3. Use Content Security Policies (CSPs) to restrict the sources that can be loaded within the Web Viewer.

18. Practical Security Scenarios: Real-Life Examples

Real-life examples shared by the speakers included instances where developers failed to implement proper security measures, leading to breaches. Some scenarios involved:

• Weak password policies, allowing attackers to brute-force entry.
• Neglected SSL encryption, leading to intercepted communications.
• Misconfigured privilege sets, granting unauthorized users excessive access. These examples underscored the importance of adhering to best practices and regularly reviewing security configurations.

19. Troubleshooting Security Issues in FileMaker

Common security issues in FileMaker include:

• Incorrect privilege sets: Users inadvertently being granted more access than intended.
• Weak internal passwords: Easy-to-guess credentials for internal accounts.
• Inadequate SSL deployment: Misconfigured certificates causing unencrypted traffic. To address these, developers should regularly:
• Test privilege sets in sandbox environments.
• Review password policies to ensure strength.
• Use tools like SSL Labs to validate SSL configurations.

20. Monitoring and Maintenance: Continuous Security Improvement

Security is an ongoing process, not a one-time effort. The speakers emphasized:

• Regular audits of privilege sets and user roles to ensure they remain appropriate.
• Real-time monitoring using tools like intrusion detection systems (IDS) to catch potential breaches.
• Continuous education on the latest security threats and FileMaker updates. Investing time in regular monitoring and adopting a proactive approach to security helps minimize risks and keeps solutions resilient against evolving threats.

21. Resources and Further Reading

For further insights into FileMaker security, here are some invaluable resources:

• FileMaker Security Guide: Claris Official Documentation
• MITRE ATT&CK Framework: MITRE’s Official Site
• SSL Best Practices Blog by Wim Decorte: Soliant Consulting
• Claris Community Forum: Claris Community
• Let’s Encrypt Official Site: Let’s Encrypt

Conclusion

The Claris Community Live session emphasized that security is a continuous journey, not a destination. FileMaker developers must stay informed, follow best practices, and utilize the right tools to create robust and secure applications. By adhering to the guidance from experts like Wim Decorte and Doug Wallis, developers can ensure their solutions are well-protected against both current and future threats.