Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Userid's/Passwords and Application Development
I've got a bunch of developers that think they need to have schema
password to develop their apps. Not only that, but, they hard code
the userid/password in their web apps. However, they are protecting
the pages via Active Directory and a product called Directory
Smart(DS). Being a DBA for over 5 years, I believe that how they are
using the Userid/Password is not an idustry acceptable practice and
that they really don't know how Oracle Security works. I'm trying to
slightly change they way in which they develop so that any user
logging into my DB's is not using a single userid/password(even if it
is embedded). Note that when they enter the page, DS requires them in
some manner to be a trusted user. My position is that DS protects the
apps for being used by trusted users, but does not do enough to ensure
protecting the database from a rogue user whether it be an internal or
external user to the company. The passwords that get embedded appear
to not ever change, which is bad. Another part of my position is that
having this kind of setup, will never pass a real outside Audit.
What I'm looking for is any sites/documents/information regarding Industry acceptable practices in the use of Userid/passwords in Oracle Databases. If anyone has info regarding this, I would be grateful if you send me links or places to search. I'm also in the CYA mode here because what's going on is not acceptable, i.e. letting the developers be responsible for protecting the data.
My apologies it if sounds as if I'm venting.
TIA,
Pete's
Received on Fri Jul 11 2003 - 07:58:28 CDT