From Dwayne Wright PMP, PMI-ACP, CSM
Certified FileMaker Developer
FileMaker does not have a feature that can test the vulnerability of a FileMaker solution. There are such tools available in network design that can scan for network holes or places that are vulnerable to attacks. It would be great if some awesome testing tool like this existed because the development of a robust FileMaker solution can be difficult and they can always have security related requirements. It is always possible you missed one thing out of so many steps that makes a productive system as secure as it could be.
So the only way to be sure that a solution is safe is to test, test and test it again. The idea is to see if you can get into areas or perform actions you shouldn’t be able to ... while accessing the system under a particular privilege set. Without testing the vulnerability of a FileMaker solution, can you be sure that it is secure?
Now, if you have a nice set of security documentation ( including a security policy ), you can test for security results much easier. The idea is to document that this role can do this but shouldn’t be able to do that.
For example, log in with a user role for the shipping department and see if you can change an invoice. Another typical example is to log in with a sales person’s password and see if you can change the cost of a product.
This kind of testing isn’t the most exciting element of FileMaker design but it an essential aspect of database security protection.
More info about the author and FileMaker in general, contact me at firstname.lastname@example.org.
© 2009 - Dwayne Wright - dwaynewright.com
The material on this document is offered AS IS. There is NO REPRESENTATION OR WARRANTY, expressed or implied, nor does any other contributor to this document. WARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE EXPRESSLY DISCLAIMED. Consequential and incidental damages are expressly excluded. FileMaker Pro is the registered trademark of FileMaker Inc.