PFCLScan Version RoadMap
PFCLScan is currently released at version 3.0 (11 September 2019) and we are developing PFCLScan actively and we fully support this product. We want to describe here the product roadmap planned into the near future and further ahead tentatively so that customers can get an idea of what we are working on and where the product is heading.
Please check back regularly for updates to the PFCLScan product roadmap. We will update this page regularly as we make progress and release new versions. As with all roadmaps; this is not a legal statement of intent. We plan new features, changes and updates and we would like to show here where we are planning to head but this is not a legal commitment to add a feature or change or whatever to the product; its an indication of where we would like to go and we would like to share that; so please read with this understanding. Oracle call this a safe harbour; its similar without the legal speak. This is where we would like to end up and we will work towards it but until a feature is released then don't count on it.
Please note that there will be point releases between each of the major releases so some features maybe released into a point release as and when they are ready.
Here is a list of the changes, features, bug fixes, content that we would like to add in new versions:
Version 3.0 is released (11-September-2019) so this list summarises the new features that made it into 3.0 at the time of release
- We rewrote most of the GUI elements to use Teleriks Ribbon menu, docking windows and window manager and also Telerik Grid controls. The previous version used Divelements Ribbon, Window manager and grid but Divelements was end of life and also was not working correctly from Windows 10 Build 1709. This was a major re-write and whilst it makes the product now future proof unless Microsoft decides to stop supporting Windows Form.
- We took the opportunity in the upgrade to Telerik to upgrade the Ribbon menu look to use the later 2010 and afterwards styling rather than the existing 2007 Ribbon used in earlier versions of PFCLScan
- We implemented plugins. Like the Telerik update this will not immediately seem to be a benefit to customers BUT we needed plugins to work to be able to support lots of new features. There are now "hook" points in the code in a limited number of places - database connection test, server connection test and the dashboard (see below). The plugins screen in the options now allows plugins assigned to hooks to be run as well as the listed plugins. The plugins screen doesn't allow re-assignment or adding yet. Plugins are a great addition to the scanner as it allows the scanner to to be dynamically extended without us having to do it. Customers can scan create and add their own plugins. We will use plugins more and more in newer versions. More on this to follow
- We have added a dashboard to PFCLScan. In this dashboard you can view a current audit (scan) and see the breakdown of results by severity and also by category. The dashboard supports showing multiple scan results and the screen on entry shows an average for all scans conducted so far (actually for all projects that are of type auditor and also from the recently used files list). The dashboard can be refreshed at any time and uses a plugin to generate its data from projects so is expandable. The dashboard also shows scan history per date so that you can easily see how many scans you are doing and when.
- We added over 440 new checks to the scanner
- We have fixed many bugs / tickets
- We have added a single page score report. This report lets a customer see at a high level a single security score for a database and it also shows a score for 8 different categories of issues and also shows how each category contributes to the total security score for the database. The third section of the report shows which areas to focus on to improve the overall security of the database. The section shows the top two areas that will give the most and second most improvements. The section ends with the worst performing area. The report is also usefully color coded. The more GREEN it is the better
- There were many other smaller fixes, changes and improvements
Version 4.0 is scheduled to be released in January 2020.
- PFCLCode is the main new feature to be added to this version is a PL/SQL code security analyser. This is a whole new feature that will allow a customer to scan a schema for PL/SQL and to analyse that code for security vulnerabilities. This will analyse actual syntax related issues such as use of dangerous code or SQL injection and it will also analyse for design and issues such related to permissions and more. This feature will be available in PFCLScan as a complete new plugged in application and it will also be available as a standalone application; So customers can choose to have PFCLScan with database security AND code analysis or customers can just license PFCLCode separately. We have decided to do it this way as we feel there will be developers who will want this tool but maybe will not want all of the database scanning features. This feature will be in version 4.0 as it is already being developed
- We will add a user rights module that will operate in a similar way to the PFCLCode above. It will be a separate accessible module in PFCLScan and its purpose is to allow detailed analysis of users in the database and all of their privileges. This module may be offered as a separate license like PFCLCode but we have not finalised this aspect yet. The aim is to remove accounts from a database that are not necessary and to remove privileges that are not necessary. This module will help you do detailed analysis and achieve this.
- We will add more checks to version 4.0. The exact number of new checks is not known now but we will update this section closer to the version 4.0 release date
- We will fix as many tickets / bugs as we can
- We will add a new variation of the single page report that was added in version 3.0. That report is for one database. We will add the ability to run a similar report for projects that scan multiple databases
- Some customers have asked us to customise some of our standard reports or have asked how they can customise the reports themselves. A good example is customers who want to modify the standard database scan report to show just the severity 1 issues or severity 1 and 2. This can be done simply with a one line edit in the report template BUT we want to allow customers to customise reports based on a simple dialog box and check items and this will then automatically edit the report template for the user - Guess what?, it will use a simple plugin to do this. Note: This was bumped from version 3.0 due to other priorities but we will try and add this in version 4.0
- We will extend the dashboard functionality to add more load plugins. This will include adding the ability to work with multiple database projects and also more search and find plugins to locate more projects on the PC and then run the dashboard against these. We also want to support the ability t refresh the dashboard automatically after a scan. This will also be all done by plugins.
- We will add more plugin "hook" points for plugins. These will include after a scan so that a plugin can be added to automatically run reports including the single page score report added in version 3.0. There will be a number of "hook" points added including after scan, before scan at startup, shutdown and more.
- We will expand the plugins screen to allow plugins per hook point to be changed, this is disabled in version 3.0
Version 5.0 is scheduled to be released in June 2020.
- New scan targets: We will add support to also scan MS SQL Server, MySQL (and similar databases such as MariaDB) and Postgress. We will add new database engines to allow scans to run checks on these databases and also add new projects and policies and checks for this
- A new module will be added to allow Forensic timeline analysis to be done for Oracle databases. We will extend the current policies that allow collection of potential forensic data from an Oracle database and allow the user of the scanner to add collected artefacts to a new timeline management screen that allows all evidence to be sorted and compiled by timeline. This module will be similar to PFCLCode in that it can be added to a normal PFCLScan license or can be purchased separately as a separate product.
- We will add more checks to version 5.0. The exact number of new checks is not known now but we will update this section closer to the version 5.0 release date
- We will fix as many tickets / bugs as we can
Version 6.0Version 6.0 is scheduled to be released in October 2020.
- We will add a new module PFCLATK that will be available as part of the scanner or as a separate product. This product builds on our existing Audit Trail Toolkit that allows a rapid policy based audit to be developed and deployed around an audit events table. Four new modules will for this new product. The first is a dashboard that allows activity to be monitored and alerts reviewed and acted upon for all target databases that have had the toolkit deployed. The second is a admin interface to manage the toolkit in each target database and also in the defined central database. The third will be a new module based around our Oracle security audit interview screens that allows a customer to use a prompt based approach to easily design an audit trail design or policy for their company including defining events, what data should be captured and how each event should be reported or alerted on. This screen when completed will allow a complete MS Word design/policy to be generated to be used in the company but also will allow a complete deployment to be generated to deploy and implement in a target database. The fourth element (not the fifth element!) is to link between the scanner and the audit trail. We will be able to generate audit trail policies from scans and also run scans based on audit trails
- Dump policies will be improved. We can currently create a dump policy from a normal policy. This feature is to to support an auditor who is not allowed to connect PFCLScan to the database. In this case we can run a dump policy. This converts a subset of the checks into a set of PL/SQL and SQL*Plus scripts that the auditor can pass to the customers DBA to execute for him. The results are a set of XML outputs that can be loaded into PFCLScan to analyse and then run reports against. This feature exists now but the main scan policies are not written to support this feature. We will port them to support this so that off line scans can be done
- We will add more checks to version 6.0. The exact number of new checks is not known now but we will update this section closer to the version 6.0 release date
- We will fix as many tickets / bugs as we can