Would you recommend such an application for production use?

Dear listers,

I tried to come up with a good name for this post but couldn't. So here
goes the story:

I have been asked to review a product that management is _very_ keen to
deploy in production. Unfortunately before this can happen it has to go
through a change management process which implies that "troublemakers"
like me can raise their concerns that need addressing. For a change I
have access to the source code of the application which makes it even
more interesting.

I discovered a number of things I don't like but was wondering what you
thought about these-maybe I'm just pedantic? Among the most terrifying
ones are:

- The installation script creates a user (default username = password)
and grants select privileges on the dictionary to the new application
user with grant option.

This is not too great but not too difficult to harden.

- the installation script furthermore creates objects in the sys schema,
namely create view foo as select * from someX$view

This is disturbing for me

- the owner of the application schema grants almost complete access on
its schema to public. The rationale is that the application needs to
allow a user logging into the database through the frontend access to
its schema

Now since the software is used for monitoring the health of a web
application through the tiers-including Oracle-anyone with connect
privileges could access these data...

Did anyone made a similar experience? What did you do?

Interested to hear comments!

Martin
--
http://www.freelists.org/webpage/oracle-l

Other related posts: