Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Happy 18th Birthday PeteFinnigan.com Limited

It has been an eventful year last year and 2021 started a bit strange due to lockdown. Last Friday our company PeteFinnigan.com Limited came of age; it was 18 years old. Wow, it has been a long and interesting journey for our company but an interesting and exciting journey!

This corona virus has been with us around one year already. The first cases in the UK (at the time) were here in York where I live. Two people were taken away in an ambulance from a hotel where the staff of the ambulance had full haz mat suits on. At least that part is not as precautionary now with ambulances seen driving around and no sign of full haz mat suits anymore; just staff in more normal PPE.

We were plunged into a lock down in the middle of March 2020 here in the UK and told to work from home; so we did for a few months and then gradually came back to the office after the lock down ended. We then had another short lock down in November. Then came January this year 2021 and the numbers of cases and deaths and people in hospital here in the UK went through the roof. At the start of this current lock down we started to work from home and then I caught covid myself from a family member. The others in my family recovered quickly but I had it for weeks and was laid up unable to do anything for weeks. I managed to get most of the symptoms that are listed by the NHS except severe difficultly breathing; which is the one symptom you don't want to get; in fact only now very recently do I feel much much better. I spoke to someone today who saw me today who remarked that when they saw me 2-3 weeks ago I looked terrible and looked like I was on my way to the morgue as I was not just pale but my skin was grey. Not good to know that, but at least I am much better now.

So how has the company been affected by Covid? well normally we would be travelling all over the world delivering consulting engagements and I would be teaching my Oracle Security training classes. Well, no travel but we have been providing training classes online for many customers on public trainings and also private events and we have been doing consulting engagements online also. We have done security audits, PL/SQL code reviews and provided expert consulting in many areas of Oracle security. I personally miss the face to face contact we get when teaching and also when delivering consulting but for training it is just as good online for the students; our classes are still live and me teaching, students can still see everything in terms of slides and my demos and my screen and of course students can interact as much as they need to and ask questions.

The progress with products was hampered slightly as we planned to release another new product PFCLForensics in January but due to my covid infection and also the lock down that has now been delayed but we will release it soon. This is a tool that can be used to perform immediate "live incident response" on a suspected (or known to be) breached Oracle database and also to then provide "Forensics analysis" within the tool. The forensics is done with a timeline that can be viewed in a number of ways. This allows the data that you collect that you identify as part of the breach to be ordered into this timeline.

Keep an eye out for more news on PFCLForensics coming soon.

During the last 2020 year we have released a number of new interim point release versions of PFCLScan; adding more facilities to it and checks and tools.

More importantly we have also release a completely new product and revamped completely another product.

The new product is PFCLCode a static source code analyser. This tool analyses your PL/SQL code for vulnerabilities but it also goes further than other source code analysers as we also look at the design and deployment of the code into the database; so also looking at things like hierarchy, design choices of the schema and individual pieces of PL/SQL as well as privileges. We, of course also analyse the PL/SQL code itself for issues.

The revamped product is PFCLObfuscate which is our product to protect your PL/SQL that has been deployed to a database. The product has been available for a while as a command line only tool. We have now added a complete GUI interface to it and released it during last year. This makes the tool easier to use as it also has productivity enhancements. This is a great tool and easy to use. Of course the command line operation is also still there if you require that to integrate the tool into any build system.

One of the major design decisions that I made last year whilst we were developing PFCLCode, PFCLObfuscate and PFCLForensics was to leverage the core functionality of PFCLScan.

The core scanner was designed as a framework that can connect to a database, server or whatever and run projects with policies comprised of checks written in many different languages including SQL, PL/SQL, Lua, Unix Shell, DOS scripts, sftp, even questions based and as we can run DOS commands you can actually run checks in any language you wish if you have the language interpreter on your PC. This power is enhanced in that the core engines of PFCLScan can actually be run as checks themselves. This creates powerful recursive checks where a project/policy/check can actually run the scanner itself as a check; ad infinitum - this allows automation and also structured scanning. Similarly with the reporting tool that we have created that sports its own very simple BUT powerful language. This framework allowed us to utilise the scanner within itself; so that development moves to "user" space and is not confined to the core development of the GUI. This lead to plugins that are actually just project/policy/checks in the scanner. You can create a project to do something useful either on the host PC or in a database or... and then convert this project to a plugin. This can then be run from the plugins screen as a tool.

We extended the plugin functionality to allow plugins to be executed in the GUI interface at certain designed "hook points". This means that the interface can be extended easily simply by adding "hook points" - simple code and then a plugin can be created in "user space" and assigned to the "hook point" in the plugins screen.

This extension and reuse of features along with some other changes lead us to design all of our new software products INTO PFCLScan. We create a new GUI screen for each product such as PFCLCode and this can be accessed via the "tools" menu in PFCLScan if you purchases PFCLScan + PFCLCode or if you purchase just PFCLCode then a launcher is presented when the tool starts up and you choose PFCLCode and only see the PFCLCode interface. Although each product such as PFCLCode has its own GUI screen / interface it uses core features of PFCLScan (trace, logging, users, login, plugins of course and more...). This means that we have one source code tree for all products and one build system and we can develop new products much faster as quite a bit is creating plugins and importantly using existing functionality.

All of this means that we can easily sell bundles of products together, add new products to sell in the same design model BUT we reuse the core functionality and not redevelop similar things over and over.

It gets better; well for us anyway. We also created the customer build system and activation system inside of PFCLScan using plugins. So PFCLScan is used to build PFCLScan.

I will expand on the products in a later post and talk more about what they can do to help you secure your Oracle databases and data.

We are also working on adding more training dates to our public training calendar. More dates will be added in the next few days, so please watch out for those. We have many training classes and all focus on how to secure an Oracle database. All of our classes are described on our "Oracle security training course" page. Have a look for details and a 2 page flyer for each class

We are also in discussions with a number of companies to partner with us to resell our software products or to partner with offering our consulting or trainings. We are always open to taking on more partners and resellers. The advantage for you is that you can offer training and services that you do not have the skills in house to offer and also resell ready made security products to help people secure data in their Oracle databases. Please contact me to discuss if you would like to partner with us.

If you would like more information on any of our services please contact me now and I will be happy to help.

If you would like to book a place on a training class or to request a private class then please contact me and I will be happy to help.

If you would like to purchase a license for any of our software products or request a demo, then please contact me and I will be happy to help with that