VSJ – November 2004 – Work in Progress

Tony Grimes, of Broker Direct plc and lately a student at IAP Education Partner Lincoln University, completes his three-part article on the implementation of his Cover Note software.

The first area of development was to implement adequate security. Broker Direct required as a minimum level of security that the system:

  • Must be inaccessible if it falls into the wrong hands.
  • Must require activation before it can be used. Broker Direct must be able to record which systems have been activated.
  • Will need re-activating every time 25 cover notes have been issued.
  • Can only be accessed via daily login codes.
  • Must not be left open for long periods and must terminate when an agreed time limit is reached.
  • Must identify the issuing broker.
  • Must not allow users access to the raw data in the database.

The most effective way of securing the system for activation was to implement a partial code that requires a completion code, provided by Broker Direct, to enter the system.

When the system is activated for the first time it displays the partial code to the user and instructs him or her to call Broker Direct. Broker Direct asks for the partial code and provides the user with the completion code based on a 120Kb application that simply calculates codes. The code is generated by a function that takes a random number and the broker’s agency number as arguments and performs an algorithm on the two. The partial code will generate a new random number every time it is required so that a hacker could not simply try sequences of numbers to crack the code.

The partial code reappears when the system has issued 25 cover notes, thus indicating that the ‘virtual stock’ has been ‘used up’. Entering the completion code will ‘refill’ the Cover Note System to 25 again.

Daily login codes are used in most systems and were implemented without a problem.

MS Access includes a reasonable level of security. The tables cannot be viewed either directly or through a link.

The system has little functionality as far as the user is concerned, as planned. The broker wants to login to the system, issue a cover note and shut down in about five minutes.

The cover note input screens have been kept as simple as possible. The hard work, such as the data integrity checks, is invisible to the user. These are coded from scratch in VB.

MS Calendar Control 8.0 was added as a component to make data entry less complex and reduce the margin for error.

The cover note number has three components: the agency number, a digit indicating who issued the note and a sequence number. The ‘issuer digit’ is needed because, should the broker’s system be down, it is then still possible for an issue to take place centrally (i.e. at Broker Direct). A ‘1’ indicates broker and a ‘2’ identifies Broker Direct. The number cannot then be duplicated. So, for instance, agency number 43256 would generate numbers like:

Cover Note Number Allocation
Issued by Broker Issued by Broker Direct
1st Cover Note Number 432561000000 1st Cover Note Number 432562000000
2nd Cover Note Number 432561000001 2nd Cover Note Number 432562000001
3rd Cover Note Number 432561000002 3rd Cover Note Number 432562000002

The data is stored in the Access Database using a DAO (Data Access Object) recordset.

The database fields are concatenated into a string, encrypted using an open licence encryption module, and appended to a text file. The text file is then saved into the installation directory.

I decided to create a copy of the text file with hidden attributes and store it in a secret location on the client machine. This adds to the security. If illicit dealings were suspected and a user had deleted the installation folder, the data can be retrieved from the secret location.

A MAPI (Messaging Application Program Interface) session is instigated, which creates an email. The text file is attached to the email and the email is sent to the client’s email outbox. This works for MS Outlook and Outlook Express, Exchange Server Lotus CC mail and Groupwise email software.

If the client uses Hotmail, Yahoo or another Web-based email system, the location of the text file is displayed and the user is advised to attach the email manually. The technology analysis found that 76% of brokers used MS Outlook or Outlook Express.

I wouldn’t have believed it before starting the project, but printing a cover note caused more problems than any other area. VB does have simple reporting facility but I found it cumbersome and could not get it to deal with multiple tables in one report. Broker Direct had a spare licence for Crystal Reports, which I decided to integrate into the system.

Crystal Reports was relatively straightforward to use. It could pull the required fields in from the Access Database using DAO or ADO and printed without a problem on my machine. However when I tested the system elsewhere, I encountered numerous mind-boggling problems. It would print on one Windows 95 machine but not another. It would do the same with XP. I persevered with it for about three weeks (bearing in mind this was mainly weekends and evenings) and was eventually thrown a lifeline by my cousin, Graham Allmendinger, an experienced VB developer. He had encountered a similar problem and was now using Active Reports from Data Dynamics. Broker Direct approved the purchase and I acquired a copy. Active Reports was very straightforward to use with excellent help and example files included. The report worked first time across all platforms without any problems, which was a relief.

The version of the system that resides at Broker Direct must assimilate the data that is received from the 1200 brokers with the Broker version of the system. The routine was straightforward to build as it simply the opposite of the routine that was developed to produce the Cover Note.

Neil Davidson, Internal Systems Manager at Broker Direct, developed a separate routine to extract the text files from the MS Exchange Server and copy them to the program folder. The Cover Note system then reads the contents of each file and strips out the delimited fields before creating a DAO Recordset and creating a new record for them in the ‘Master’ Database.

Broker Direct are rolling out the system in stages so as not to overwhelm the staff that are now responsible for the system. There are currently 160 users of the system and 350 Cover Notes have been received.

Lincoln’s Software Development Degree provided the building blocks for me to put this project together from planning through research, specification, design implementation and finally testing. Although I had to learn to use VB6 in my own time, the fundamental programming education was invaluable. Data types, data integrity, set theory, predicate logic, database theory and good programming practice all came together. When I was learning the theory I could not always see the benefits, but in context it was blatantly apparent how these fundamentals were of vital importance.

As luck would have it, I received my Degree results as I was writing this article and am pleased to say that I have been awarded a 2:1 degree in Computing Software Engineering. Not bad, when I think back to the birth of my second child, my wedding, moving house and working full-time throughout the five years that I studied.

I would like to thank my lecturers Kevin Jacques, Linda Hitchin, Phil Richardson and Chris Coulson, who were enthusiastic, organised, patient and above all excellent communicators.

You can contact Tony at tonyg@goodstyle.karoo.co.uk.

[Interesting project or development? Let us know at eo@iap.org.uk!]

Comments are closed.