Would you recommend such an application for production use?

From: Martin Bach <development_at_the-playground.de>
Date: Wed, 17 Feb 2010 21:20:04 +0000
Message-ID: <4B7C5D84.1060404_at_the-playground.de>

Dear listers,

I tried to come up with a good name for this post but couldn't. So here goes the story:

I have been asked to review a product that management is _very_ keen to deploy in production. Unfortunately before this can happen it has to go through a change management process which implies that "troublemakers" like me can raise their concerns that need addressing. For a change I have access to the source code of the application which makes it even more interesting.

I discovered a number of things I don't like but was wondering what you thought about these-maybe I'm just pedantic? Among the most terrifying ones are:

  • The installation script creates a user (default username = password) and grants select privileges on the dictionary to the new application user with grant option.

This is not too great but not too difficult to harden.

  • the installation script furthermore creates objects in the sys schema, namely create view foo as select * from someX$view

This is disturbing for me

  • the owner of the application schema grants almost complete access on its schema to public. The rationale is that the application needs to allow a user logging into the database through the frontend access to its schema

Now since the software is used for monitoring the health of a web application through the tiers-including Oracle-anyone with connect privileges could access these data...

Did anyone made a similar experience? What did you do?

Interested to hear comments!


Received on Wed Feb 17 2010 - 15:20:04 CST

Original text of this message