Obviously after such a long time and without keeping detailed notes of the development some of this is based on hazy long ago memories. No one else probably can contradict any of this so please bear in mind some of the detail may not be 100% accurate but its still a valid history of how it was developed.
I might come back and enhance this in the future with more details and I might move it to the PFCLScan product pages but for now it is a blog.
I started PeteFinnigan.com Limited on the 12th February 2003 and my goal was to provide services, training and eventually products to help customers secure data in their Oracle databases. Of course I also wanted to help the public generally as well through blog and other posts on my website to secure data in their Oracle databases - so I have posted a huge amount of free content and papers, talks and of course tools written in SQL and PL/SQL. One of my key goals in creating software was to make it easier for me personally review customers databases by having tools that I could easily use BUT the goal was to also create commercial tools to do the same and sell licenses for these.
So just after I started PeteFinnigan.com Limited on the 24th April 2003 I started a C program called oscan.exe that would be the core engine of my database scanner. The main C file has a comment for version 0.0.1 on the 24 April 2003 and is shown here:
/*============================================================================*/
/* File Name : oscan.c */
/* Author : Pete Finnigan */
/* Date : April 2003 */
/* Name : OSCAN */
/*============================================================================*/
/* Description : This program is the PeteFinnigan.com Limited Oracle */
/* database security scanner. The project is conceived to */
/* replace the current PL/SQL scripts and shell scripts and */
/* may form part of a commercial scanner offering. */
/*============================================================================*/
/* maintainer : Pete Finnigan (http://www.petefinnigan.com) */
/* Copyright : Copyright (C) 2003, 2008, 2009, 2010 PeteFinnigan.com */
/* Limited */
/* All rights reserved. All registered trademarks recognised */
/* */
/* The contents of this file are protected by copyright. Any */
/* unauthorised copying, duplication of its contents are in */
/* breach of the copyright. */
/* */
/*============================================================================*/
/* History */
/* */
/* Wh Ver Date Description */
/* === === ========== =========== */
/* PF 0.0.1 24-Apr-2003 First release */
/* PF 0.1.1 26-Jun-???? **previous updates removed*** */
/* PF 0.1.2 29-Dec-???? Move to VCC EXP */
/* PF 0.1.3 28-Mar-???? Added code access functions */
/* PF 0.1.6 28-Jun-???? Work to add in command loop */
/* PF 0.1.7 31-Oct-2007 General progress */
/* PF 0.1.9 01-Apr-2008 Move to OSCAN */
/* PF 0.1.10 02-Apr-2008 Test compile with cleaned structure */
...
The file was clearly updated in 2010 and as the header did not contain comments after this time, this is when I started to add changed to release notes instead but the earlier comments are valid.
As writing in C is much slower than writing in SQL and PL/SQL I quickly put the C program to one side and decided to create a SQL - PL/SQL scanner for me to use in customer engagements and not to sell. The SQL*Plus script was a wrapper around calls to specific scripts and these scripts acted as internal functions. This allowed the main script to be a container for hundreds of checks and reports with just define statements to set names/values etc and then call each separate script (like a function call). This set of scripts grew to 40-50,000 lines or more of code in SQL and PL/SQL but was useful for me to perform security audits. But, it was not useful to sell though as a product as it was just scripts and no reports/words/advice.
At some point I decided to go back to my C based scanner oscan.exe and started work on it again so that eventually I could sell it and of course use it internally on consulting engagements.
This restart, from the comments above happened sometime in 2007 but i do not remember exactly when. I completed the first version of oscan.exe to load a policy of checks and run it against an Oracle database. Already it had some sophistication in that it could execute any SQL or PL/SQL based check in one policy. It also had built in trace and logging to help with support. The whole program has its own config file that can be used to control it. The policies were stored in XML files and as part of that development I created an XML parser in C to load the policies. The output from processing a policy was also stored in XML files.
I made a decision to not use a database as the repository of the tool as then that database would need to be locked down and protected.
I also decided to use OCI (Oracle Call Interface - not cloud) to connect to the database and do SQL and PL/SQL and some other bits such as breaking a running session.
I made a blog post (C code API to encapsulate OCI) showing oscan.exe running for the first time publicly on t on April 7th 2008. So, the core engine was done and running checks in policies then:
C:\oscan -c oscan.conf -v
OSCAN: Release 0.1.12 - Alpha on Mon Apr 07 11:18:26 2008
Copyright (c) 2003, 2008, PeteFinnigan.com Limited. All rights reserved.
[2008 Apr 07 10:18:26] Logger: Starting OSCAN...
[2008 Apr 07 10:18:26] Logger: Running Scanner
....
[2008 Apr 07 10:27:32] Logger: Closing Down OSCAN
Sometime after as we had only a C program to run a single policy passed in and it was a Windows command line program I needed to make it a proper Windows application. At this time it was not called PFCLScan. As i registered the domain on the 6th July 2009 then I assume that on that day I came up with the name PFCLScan.
The GUI originally started as a C++ / MFC program and whilst I could probably find the exact date of that development I wont as it was a 2 week detour. I started on C++ / MFC as the engine was in C and the plan originally was to move oscan.exe into the Windows program as C and C++ can play together. The learning curve in MFC was high and whilst fairly good looking GUI could be created quickly it was much harder to then change, tweak, add things to. Probably I should have stayed with MFC but i wanted progress faster so switched the GUI to vb.net.
This switch meant that we needed to call oscan.exe from the GUI as a command line tool. This was a good choice as it meant that PFCLScan can also be run from the command line very simply and indeed it still can be.
At this point I needed to create projects that could contain any number of policies that are then run by oscan.exe. So the idea of projects was born where a project is also an XML file and it contains any number of policies and each of these policies contain any number of actual checks. This meant we can define a project in the GUI and then run each policy through oscan.exe. This also meant I had the opportunity to create more sophistication. I realised that I could create a check in SQL or PL/SQL that took input from a previous policy or check and fed the values from any column of data to the new check. This allows checks to be written where we reduce database trips. A good example is that we have a policy/check that gets a list of default users or default roles and these are fed into subsequent checks that need a list of default users and roles as text to be added to SQL or PL/SQL.
We also added loop checks; a variation on the static dependencies above. This means that the results of one check - i.e. rows of result data can be fed line by line into a subsequent check.
I also saw the opportunity to add libraries where a check is used more than once it is a library and the code for the library can be loaded in and executed. We can of course mix and match and libraries / static dependencies (think #define in C) and loops all work with libraries as well. A library is just a policy / check so can be written and edited through the GUI.
The programs used to process the static dependencies and loops and libraries are lock.exe and load.exe so I know roughly when these ideas/features were added; these programs were started on the 10th and 11th January 2010 so this development at least started then.
At this time I also recognised that PFCLScan needed a reporting language so I invented one. I also for the first time saw the advantage of recursion and re-use. So the first job for the report language (PFCLReport) was to create projects from the passed in data obtained from the user via a Windows wizard - name, file name, location and type of project and a template for the project. The repo.exe tool was started on 15th January 2010. The report tool is simple and loop based. We have a template which can be any text file and this is parsed and any data found substituted in the output where there are variables. The language is rich and has hundreds of variables and is loop based. So you can loop over databases that have been scanned and policies and checks. The language is easy to use
So, I used repo.exe in the GUI to go off and create a project when a user chose to start a new project. Re-use!
Around the same time I came up with the idea of adding plugins to PFCLScan. A plugin is simply a project in PFCLScan. So it can be created in the GUI and policies and checks added and then converted into a plugin - it can be run as a project in the GUI. Plugins can be run ad-hoc from the plugins screen or can be run from hook points throughout the application. A hook point can have any plugin associated with it. This means an end user could if they wished write a new plugin and replace ours. Powerful.
The first two plugins created were to test the connection to a database and test the connection to a server with ssh.
So around the 2009 / 2011 timeframe we added the ability to run shell commands on a server. To allow a plugin to connect to the database through OCI in oscan.exe we also at this time added Lua to oscan.exe. This was a neat extendable way to do this and also meant we can now write checks in Lua!!
Most of the core features were added around this 2009 / 2011 timeframe. I showed a picture of PFCLScan on September 1st 2009 presumably using the old mechanism for testing a connection as this was before plugins. Search for blog post (A book, a database scanner and a magazine column and a few bugs) to see this picture.
We started to add applications with PFCLObfuscate as the first one in 2019 / 2020 by building apps on the top of PFCLScan so that they could easily use the core features of the main product and remove the need to rewrite things again in each app. This also was to make build and deployment easier as we now had one software build rather than separate ones for each product. The natural next step was also to use PFCLScan plugins to build and activate PFCLScan itself. Full circle!
I added the product website around March 2017. Version 1.3 was released on the 18th October 2013 and version 3 on 11 July 2019 and version 4 before xmas 2024. Version 5 (2025) is being worked on now.
The first public demo was on May 13th 2013 in Edinburgh and the first sale was on the 10th February 2013
We are enow working on version 2025 and also adding a new product as an App, PFCLUserRights that will do a detailed analysis of users and their privileges in the database plus updates to all the apps and the core scanner.
So, that is a brief history of PFCLScan and apps and as I said I might come back and extend this in the future with more details
#oracle #security #pfclscan #vulnerability #scanner #breach #databreach #datasecurity
