Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Userid's/Passwords and Application Development

Re: Userid's/Passwords and Application Development

From: Pete's <empete2000_at_yahoo.com>
Date: 14 Jul 2003 10:40:02 -0700
Message-ID: <6724a51f.0307140444.440bd634@posting.google.com> 





Just a couple notes on what I've observed here.



First, I don't appreciate the flames happening from what I posted. 
Second, I'm not their manager.  Third, I was a developer before being
a DBA.  Four, I'm trying to gather information and support to try to
change this behavior.  Five, Management has known and seems to condone
this behavior.  Six, I'm asking because I know I could hack the
databases here.  Heck, I've been at this company for just over two
years and I just found out that there's an Oracle DB implemented out
the field being tended to by users, well guess what, I hacked it right
off the back, too me maybe 2 seconds.



I thought I'd ask what I did to try get a concensus of what I'm trying
to change the DB security to is how others in this industry handle
their DB security.



Disgusted,


Pete's



empete2000_at_yahoo.com (Pete's) wrote in message news:<6724a51f.0307110458.2d53a82a_at_posting.google.com>...


> I've got a bunch of developers that think they need to have schema

> password to develop their apps.  Not only that, but, they hard code

> the userid/password in their web apps.  However, they are protecting

> the pages via Active Directory and a product called Directory

> Smart(DS).  Being a DBA for over 5 years, I believe that how they are

> using the Userid/Password is not an idustry acceptable practice and

> that they really don't know how Oracle Security works.  I'm trying to

> slightly change they way in which they develop so that any user

> logging into my DB's is not using a single userid/password(even if it

> is embedded).  Note that when they enter the page, DS requires them in

> some manner to be a trusted user.  My position is that DS protects the

> apps for being used by trusted users, but does not do enough to ensure

> protecting the database from a rogue user whether it be an internal or

> external user to the company.  The passwords that get embedded appear

> to not ever change, which is bad.  Another part of my position is that

> having this kind of setup, will never pass a real outside Audit.

> 

> What I'm looking for is any sites/documents/information regarding

> Industry acceptable practices in the use of Userid/passwords in Oracle

> Databases.  If anyone has info regarding this, I would be grateful if

> you send me links or places to search.  I'm also in the CYA mode here

> because what's going on is not acceptable, i.e. letting the developers

> be responsible for protecting the data.

> 

> My apologies it if sounds as if I'm venting.

> 

> TIA,


> Pete's

Received on Mon Jul 14 2003 - 12:40:02 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US