Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Application userid security

Re: Application userid security

From: Ed Stevens <spamdump_at_nospam.noway.nohow>
Date: Mon, 15 Apr 2002 12:58:42 GMT
Message-ID: <3cbacd3f.1391500@ausnews.austin.ibm.com> 





On Mon, 15 Apr 2002 09:33:10 +0400, "Vladimir M. Zakharychev" <bob_at_dpsp-yes.com>
wrote:



>Again, developers write that application and will know any secret token

>embedded into it. Keeping developers away from production is actually

>not a technical issue - the only way you can do it is to enable auditing

>and track all access to the production database, review it and detect any

>illegal access (whatever this means for your organization), then act

>accordingly (fire them, bring them to court, whatever).

>

>This reminds me of an old story about Bull Systems developing a

>unix-like OS which they intended to certify for A2. When asked, why

>won't they go for A1 right away, project manager answered that they,

>of course, could, but this would be inhumane as they would have to

>shoot all developers...

>

>Keeping developers away from production systems while granting them

>occasional access is impractical. Better solution is to mirror production

>system to a testbed (probably stripping off any sensitive data you want

>to keep secret, or replacing it with fake generated data) and if any problem

>arises, developers may use the mirror to resolve it and then production

>DBA and network admins will roll out the fix into production. Other than

>this, I don't see any other way but auditing (and you will need it anyway

>to be sure there's no unauthorized access).

>

>--

>Vladimir Zakharychev (bob@dpsp-yes.com)                http://www.dpsp-yes.com

>Dynamic PSP(tm) - the first true RAD toolkit for Oracle-based internet applications.

>All opinions are mine and do not necessarily go in line with those of my employer.

<snip>


Well, yes I have considered shooting the developers, but am told that does not
fit with our companie's policy of inclusiveness.    ;-)



Sounds like what you're talking about is preventing them from testing code
against production.  Our concern is broader -- how to prevent them from
manipulating production data.



Looks more and more like my original conclusion was correct -- that what
management wants can't be done; the level of security they enjoy on the
mainframe is a result of several OS level subsystems.
Received on Mon Apr 15 2002 - 07:58:42 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US