INTRODUCTION

One of our large clients recently had a change of ownership. The new ownership team brought in a security analysis firm, BlueOrange, to perform a security analysis and penetration testing study of our client’s IT infrastructure, including the custom Claris FileMaker solution we developed for them and have been enhancing and supporting for about ten years now. We haven’t had the chance to work with a firm like BlueOrange in the past on an enterprise scale security analysis. It was a good experience for us, and I thought a report on this process would be interesting to the larger Claris FileMaker community.

30% of phishing messages get opened by targeted users and 12% of those users click on the malicious attachment or link. Only 3% of users report malicious emails to management.

PurpleSec

I’ve divided this blog post into three sections: 

• The goals for the work defined by BlueOrange

• Penetration testing work

• Finding

I’ve focused on the security analysis of the FileMaker applications and left out the substantial work done by BlueOrange on the network and workstation environment.

GOALS & SCOPE

The goals of the penetration testing were as follows:

• Compromise services in order to gain access to personal health information or confidential information generally

• Attempt to exploit vulnerabilities using automated and manual tools

• Provide evidence of the levels of access achieved

WORK PERFORMED

BlueOrange conducted several days of testing, facilitated by test servers and system information provided by the IT firm and Portage Bay as the application developers. We set up identical test servers in our client’s AWS environment for testing so that the production servers would not be affected.

In addition to a detailed survey of the front end user interface, penetration testing included Injection testing, XML Ext Entities, Broken Access Control, Insecure Deserialization, and searching for components with known vulnerabilities. BlueOrange also analyzed the data stream between FileMaker clients and the server for encryption vulnerabilities.

FINDINGS

BlueOrange found a number of security issues to be addressed in the FileMaker solution on the front end. Virtually all issues were related to decisions made over the years to facilitate ease of administration and support of the application. Some decisions were made by us as the developers, some were made by our client.

The issues virtually all centered on stored credentials of one kind or another that are visible to end users. Authorized end users to be sure, but such a setup still allows security vulnerabilities that could cause reputational damage if exploited by a disgruntled employee.

The average healthcare worker has access to 31,000 sensitive files on their first day of work, with nearly 20% of all files open to every employee.

PurpleSec

Fortunately, the work to be performed to mitigate these security risks is relatively straightforward. We will be removing the credentials from the user interface and replacing them with salted and hashed passwords. Our client will have to modify their processes in a few small ways as well because of these changes.

The great news for us as FileMaker developers is that no successful penetration of the FileMaker data was achieved. Network traffic was found to be very secure and no open source or third party components were found to have security vulnerabilities. No login vulnerabilities with our custom user management system were discovered.

Claris’ emphasis on security in the FileMaker platform is strong and getting stronger in recent years. New capabilities in FileMaker 19, such as wider support for OAuth identity providers, demonstrate this focus and give FileMaker developers the tools for meeting security related business requirements.

Over 878 million data records were compromised worldwide in the month of January 2021 alone, more than the entire year of 2017.

Computer Weekly

If you run into any security related issues with your FileMaker solution, please get in touch with us, we’d love to assist!