Re: Privileges by session

• From: Michael Fontana <michael.fontana@xxxxxxxxxxx>
• To: Thomas LaPorte <Thomas.LaPorte@xxxxxxxxxxxxxx>
• Date: Fri, 8 Jan 2010 15:49:14 -0600 (CST)

There are standardized security protocols in the market to handle such issues, 
were they unable
to be dealt with by removing them from the code.

Ideally, there should be no hard-coded passwords in application source.  This 
is very dangerous in that
it can be easily uncovered by outside entities, which is even a bigger problem 
than internal people having access.

Secondly, even if this were true, we've had developers send the source code to 
security and operations with 
instructions on how to change and compile the code before implementation, so 
that the developers would not know
it's value.

It all comes down to the political necessity of securing applications.  It is 
not a technical issue at all.  
When there are tasks to be done to secure an application, and a company doesn't 
really want to pay the cost to
implement it, this indicates it's true priority.



----- Original Message -----
From: "Thomas A. La Porte" <Thomas.LaPorte@xxxxxxxxxxxxxx>
To: oracle-l@xxxxxxxxxxxxx
Sent: Friday, January 8, 2010 3:13:36 PM GMT -06:00 US/Canada Central
Subject: Re: Privileges by session

If the developers own the source code for the app, and the 
application user password is stored in the source code of the 
application, changing the password will, of necessity, entail 
informing the developers of the new password.

This is no where near "best practices" from a security 
standpoint, but it is such a common occurrence in all of our 
environments that the discussion here is worthwhile.

On Fri, 8 Jan 2010, Joan Hsieh wrote:

> I don't get it, even hard coded in the app. There must be a way to change the 
> pw. In our peoplesoft environment, the sysadm pw on dev and production are 
> different. All the developers must logon as their individual account which 
> grant a  select role privilege. No one knows the sysadm (application account) 
> pw except dba and peoplesoft admin.
>
> Blanchard, William wrote:
>
>> Correct.
>> 
>
>
> --
> //www.freelists.org/webpage/oracle-l
>
>
>
--
//www.freelists.org/webpage/oracle-l



-- 






Michael Fontana 

Sr. Technical Consultant 

Enkitec M: 214.912.3709 

enkitec

oracle_certified_partner




--
//www.freelists.org/webpage/oracle-l

• References:
  • Re: Privileges by session
    • From: Thomas A. La Porte

Other related posts:

• » Privileges by session- Blanchard, William
• » Re: Privileges by session- lyallbarbour
• » RE: Privileges by session- Blanchard, William
• » RE: Privileges by session- Jackie Brock
• » RE: Privileges by session- Blanchard, William
• » RE: Privileges by session- Christopher Boyle
• » RE: Privileges by session- Blanchard, William
• » RE: Privileges by session- Blanchard, William
• » RE: Privileges by session- Blanchard, William
• » RE: Privileges by session- Jackie Brock
• » Re: Privileges by session- Kellyn Pedersen
• » RE: Privileges by session- Blanchard, William
• » RE: Privileges by session- Blanchard, William
• » Re: Privileges by session- Jared Still
• » RE: Privileges by session- Blanchard, William
• » Re: Privileges by session- Michael Fontana
• » RE: Privileges by session- Blanchard, William
• » Re: Privileges by session- Jared Still
• » RE: Privileges by session- Blanchard, William
• » Re: Privileges by session- Andre van Winssen
• » RE: Privileges by session- Barun, Vlado
• » Re: Privileges by session- Jared Still
• » Re: Privileges by session- Robert Freeman
• » RE: Privileges by session- Andre van Winssen
• » Re: Privileges by session- Joan Hsieh
• » Re: Privileges by session- Thomas A. La Porte
• » Re: Privileges by session - Michael Fontana
• » Re: Privileges by session- Martin Berger
• » RE: Privileges by session- Upendra N
• » Re: Privileges by session- Martin Bach
• » Re: Privileges by session- Pete Finnigan
• » Re: Privileges by session- Peter Hitchman
• » RE: Privileges by session- Joel.Patterson
• » RE: Privileges by session- Barun, Vlado
• » Re: Privileges by session- Kellyn Pedersen
• » RE: Privileges by session- GovindanK
• » Re: Privileges by session- Pete Finnigan
• » Re: Privileges by session- Yechiel Adar
• » Re: Privileges by session- Jared Still
• » Re: Privileges by session- Yechiel Adar

1. Home
2. oracle-l
3. Archive
4. 01-2010

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---