Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Make Pete Finnigan a remote expert part of your team"] [Next entry: "Add License Checks Anywhere in your PL/SQL"]

Software from Building Blocks - Fast Development - One Month Projects



More than 20 years ago I was working away from home and was in a loud restaurant / bar in London and chatting to colleagues there and we were all talking about ways to make money and ideas. I proposed an idea where a person can create code blocks that implement core functionality where you would spend a limited amount of time then building the actual application.

Yes, I am aware that is the idea with tools like VB.net and Apex and Delphi and others but these development environments still require you to put together all of the core elements for the application and glue it all together and then write the actual functionality that you need.

That evening more than 20 years ago I suggested One Month Projects where such a toolkit of core features would allow new applications and programs that would be saleable could be made and marketed within one month each; that would include writing the application, installer, documentation, marketing, etc so it could be sold. This meant in terms of that discussion that you could create a new application / program to sell every month and keep adding to the portfolio of software to sell and one (or ideally more than one) of them would for sure be successful and the person doing it would make money. The discussion that evening in London was ways to make money

I never forgot that discussion and when I created PFCLScan which was our first product I wanted to use these same code/functionality block ideas to make the development and construction of other applications faster and easier. So PFCLScan was more complex and comprehensive that it needed to be to simply run security checks against an Oracle database.

First I created separation from the GUI and the scanning engine itself. I have mentioned some of these ideas here before. The scanning engine runs projects; these projects are XML files that link to further XML files that are policies that in turn contain checks; the actual things that do the work. These checks can be SQL, PL/SQL, Shell, DOS, Lua, ftp, sftp, ssh and many more. In fact a check can run anything because it can run a local DOS command. We also created many tools that do things singly and these can be run from a check. The checks themselves then are dynamic; a check can read data from a previous check in another policy that has already run and even from a previously executed project. These can be static data or loop based data; i.e. run a check in one language based on the list of results from a previous check or project.

The scanning engine was designed to literally do anything that can run as a command.

The reporting tool uses its own report language and any input text file can be a report template. This means that we can generate any text file based on static data in the scanner, the rules themselves or from results of a scan.

When we chain these two things together it means we can use projects and reports as tools within PFCLScan itself. We do this for plugins and also to implement features in the product. It means that PFCLScan is infinitely extendable.

Next came the One Month Projects that took more than one moth to create but built on the core PFCLScan features and blocks in a similar way to what I envisaged more than 20 years ago. The scanner also includes a core framework, logging and trace, reporting screens, connections, and more. When we created applications I wanted them to use PFCLScan and not re-implement the same features over and over. So a new application uses our application frame that already brings a lot of features we need. We then implement all of the functionality as plugins (projects and policies) and do minimal GUI work simply to call plugins and then manage the data and display it. Not One Month projects but very fast development. We have 5 software applications now and two more in development and many more in the pipeline. Each will be added into the framework.

Each application can be licensed standalone or with others or with PFCLScan itself

We also manage the build of the applications and management of licenses and customers also using PFCLScan. We created a custom plugin that can build and email and ftp the software for each customer and even build and send updates to each live customer when one is ready.

The scope to extend and build more applications can be done on a number of levels:

  • Create more core applications into the application framework

  • Create project based applications where we create a new project based application that runs from PFCLScan; we can do this or customer/partners could do this also

  • Create non database type applications for instance PFCLScan is a database security scanner BUT it could just as easily be something else completely such as website cookie scanner

  • Integrate our software into other products as a commercial venture; all our products have the functionality built as plugins and these can be run from the command line and therefore easily integrated into other companies products

  • Integrate our software into other tools personally as an aid to do something; all our products have the functionality built as plugins and these can be run from the command line and therefore easily run from other tools that you have for instance the editor TextPad can run commands so our scanner can be run as a command and provided it produces a text file (it can produce text, HTML, JSON and many more) then it will load into TextPad; that's just one example. Our tools can also run from the command line so could be integrated into other custom internal software such as running PFCLCode as part of a PL/SQL software build process

  • Many More....


Whilst we didn't create exactly One Month Projects you can hopefully see how I designed PFCLScan to be a toolkit that can easily be extended, integrated and become other products or be the basis for other products. I always remembered this discussion and wanted to be able to do this and make creation of new products fast and easy and to make products extendable and powerful.

If you would like to see a demo of our software then please send me a DM on any of our social channels or send me an email to pete at petefinnigan dot com