Security Scope - Two Passwords Stored Everywhere

The core problem of Oracle security is that it was never designed for the purposes it is currently used for. You might not realize it, but no production database can use most of the security measures the way there were intended.
Go to page123All

The Problem

If security moved one level up from the Oracle database to the application, why do we need to have security in the Oracle database? The reason is that while the Oracle database security model is not in use, people can still connect to the database, run queries, change data, and more.
The only protection the Oracle database has is that you need a user and password to get you in. Unfortunately, once you’ve logged into the Oracle database you have full access to all the data. Either type of account will let you do anything, and no one will even know what you did.
Since the two passwords (application and DBA) give unlimited and un-monitored access, they should be kept extra safe.. but are they?

The Application Password

Lets make a short list of who has access to the application password:
  • Application administrators
  • Some of the developers
  • Development tools used by the developers often store passwords
  • At least one manager
  • Business analyst that need access
  • 24×7 support staff
  • Contractors, partners, or an outsourcing company helping to maintain the application
  • A spreadsheet used by the contractor/partner/outsourcing company to keep track of all the passwords they have
This password is also systematically stored in:
  • The application (on the application servers)
  • Maintenance scripts
  • ETL tools (ETL tools are also notorious for being lax on security)
  • Monitoring tools
Application passwords tend to change very infrequently (sometimes never). So once compromised, they remain so for a long time. That includes employees that left the company.

The DBA Password

Lets make a short list of where DBA passwords are stored:
  • The the head of the DBAs
  • In applications DBAs use to connect to the database (like Toad) often store passwords
  • In web broswers DBAs use to connect to the database
  • A contractor, partner, or outsourcing company performing administrative work
  • A spreadsheet used by the contractor/partner/outsourcing company to keep track of all the passwords they have
The SYS password is a little more tricky since it has to be known to all the DBAs. There’s a couple of options:
  • The SYS password is different in every database. This means the DBAs have a list (usually in a spreadsheet) to keep track of the passwords. We’ll come back to this list later.
  • The SYS password is the same in all the databases. This means DBAs can remember it, but once it’s compromised, all the databases are compromised. If it changes frequently, the DBAs will also have it written down somewhere.