June, 23 2003

Charles Miller, in his recent post on Penetration Testing, wrote:

A successful penetration indicates something more than a particular security flaw. It indicates some systemic flaw in network security policies or practices.

and:

If the penetration is successful, it is to… practices and procedures that management should return, to examine how they could be better implemented, or more clearly communicated to employees.

Events and Causal Factors Analysis is a technique for analysing and communicating the systemic and indirect causes of incidents. It would be useful for examining faults in practices and procedures after a ‘successful penetration.’

I was working on a Python based prototype recently, and needed to demonstrate the ability to generate and print reports.

Producing printed material is a tedious thing to do in most programming platforms. Java and MSWindows, for instance, both require a programming to render printed output in the same manner as a GUI is rendered, though with kludges for the different resolutions and the requirement for the user to select an output device. From the little I know about it, the situation in *nix is worse.

PDF files are a way to sidestep some of the problems: the application ‘simply’ produces a PDF, fires up Acrobat Reader and lets the user view and print at their leisure. The trick is finding a usable pdf generation library.

ReportLab maintain The ReportLab Toolkit, an open source pdf generation library for Python. I used in the prototype and was impressed. It:

• Has all the basic APIs… get new page, draw graphics and/or text, repeat, write file.
• Has some mid-level facilities for layout – paragraphs, tables and so forth.
• Can access font metrics, which is needed for dynamic layout of report elements.
• Works on multiple platforms.
• Has comprehensive documentation.
• Comes with reusable demo code.
• Is licensed very liberally.

In addition, simple things “Just Work”. I reused some of the sample code, and my prototype had a multi-page report with page headers and footers (including the page number) in about twenty lines of code.

As for the negatives, I haven’t had enough exposure to it to find anything truly frustrating. Here’s one small thing: a few of the shipped classes are usable, but not completely finished. Comments in the code clearly identified these modules.

One of the demos for wxPython—which I also used on this prototype—showed how to embed Acrobat as an ActiveX control in MSWindows. I integrated that demo code with the prototype and the ReportLab generated PDFs popped up beautifully.

Overall, bouquets to The ReportLab Toolkit. My impressions from four or five hours working with it, are that it is comprehensive and flexible, as well as being stable and mature enough to use for my application.