PFCLScan – Enterprise Database Security Scanner
Fig 1: PFCLScan Example of a cracker report
PFCLScan has been architected, designed and created by Pete Finnigan an expert in the database security field for almost 10 years. PFCLScan has been designed to create a unique chance to benefit from an experts real world experience in securing data held in Oracle databases. PFCLScan has also been conceived to help you create a secure environment for your data. The product takes you from capture of architecture, data flow and user identification through to an initial deep analysis of a single (or more) database. From there a correction strategy can be developed before implementing scanning, monitoring and compliance testing.
The main focus of the product for us when we designed it was to allow someone to buy it and within a minute or so after installing be able to run an audit against their database.
The second focus was to promote the point that simply running a standard audit designed by someone else is not the perfect solution. The better solution is to conduct a detailed review and design a specific standard or policy that says “what a secure database” looks like for your organisation. We want people to do that and we therefore wanted PFCLScan to be used to implement that policy. We have included many time saving features to allow you to quickly create your own policies that allow you to test your own compliance. these include:
- Libraries to allow quick reuse of code
- Structured policies and checks that allow tests to be re-used easily in different projects
- Projects so that you can design a set of tests and re-use it as many times as you wish
- Heirarchy to allow sophistication and power to be included in your policies
- Different test types including SQL, PL/SQL, Shell, Dos scripts, Lua, sftp, ftp and much more to allow a thorough policy to be created
What we wanted to achieve is sophisitication and power with quick development and implementation and use. We also designed PFCLScan with the developer in mind so we include:
- Instrumentation; We have instrumented the whole of PFCLScan so that you can enable logging, error logging and trace on all of the Graphical user interface and also all of the engines used to execute your policies. These log and trace files are visible within the interface and also searchable. They can be reviewed yourself to help development of your policies or saved and uploaded to support for assistance
- Tuning: we provide reports that show the detailed performance of a whole project, whole policy or individual checks so that you can assess where tuning should take place on your developed policies and tests. You can also changea range of configurations to improve and tune the policies that you have created; these techniques and features are described in the 350 page manual
- Programmers Editor: The interface includes a color syntax highlighting programmers editor to help you develop your own policies and tests. This includes macros and also snippits as well as every editor feature you would expect in a development environment.
- Flexible Interface: The graphical user interface is also created with a developer in mind. You can hide and move and layer windows to your hearts content to make development of your own policies, checks and reports as simple as as quick as possible
- Libraries: You can use our policies and checks in your own policies and checks. None of our checks are hidden, none of our reports are hidden, you can take ours and “save as” and create your own. This is a good aid to fast creation of your own custom policies
PFCLScan Modes of Operation
PFCLScan has two main modes of operation:
PFCLScan Audit: PFCLScan is an ideal tool for auditors – targetted at auditing a small number of databases in a deep and methodological way to get the clearest deepest picture of your current security. Ideal for external auditors, internal auditors and DBA’s
PFCLScan Enterprise: PFCLScan is ideal too for end customers to scan many databases with your own custom developed policies or ours to undeerstand which databases must be secured. It also provides a roles as a monitoring or compliance tool. PFCLScan is scalable and can be run remotely or completely from the command line. All of the key scanning functionallity is seperated architecturaly from the console to allow this. This means that 1 + n child engines can be deployed and controlled from the central console. The console also provides centralised reporting.
PFCLScan Features
Some of the exciting features of PFCLScan are listed below:
- General Features
- Easy to use
- Modern Ribbon interface including fully dockable windows and skins
- Easy installation or upgrades
- Modes of operation: audit, correction, scanning, monitor, compliance and more
- Project driven
- Easily create your own policies and checks
- Built in command line tools for ad-hoc exploration and check/policy development
- Generate fix scripts, audit configuration, IDS/IPS policies, MS Word policies, policies for PFCLScan
- Simple licensing, support, upgrade terms
- Policies/Checks
- Comprehensive editors for targets, policies
- Large suite of shipped policies and checks for deep auditing
- Unique hierarchical policies controlled at compile time or run time
- Unique correllation of results
- Unique loop checks
- Checks in many formats, interview, architecture, SQL, PL/SQL, shell, built in commands and much more
- Built in check command language PFCLScript and PFCLLuaScript
- On line mode or off-line mode – suitable for offline analysis of data
- Extendability
- Full command line support and scriptable
- Customer modification allowed for built in policies and checks
- Built-in Reporting
- Built in sofisticated programmable reporting tool – PFCLReports
- Fully programmable reporting language PFCLReportScript
- Large suite of shipped reports
- Create your own reports in many formats, txt, html, xml, MS Word, or customise ours
- Much More…..
More Information, Request A Demo?
If you would like too receive further details of this exciting new product or request a demo then please email info@petefinnigan.com
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).