Tips for Db Security
Disclaimer : This post keeps in mind the web frontends and web applications based attacks on DB Servers in mind.
Any Userid used for web application connectivity should be clipped to specific ip addresses that could be localhost in case of same server usage for Db and App server. If two separate servers are used then clip the user id (s) with the application server ip address / hostname. Keep a strick log of who access the id and when.
1st entry in user /password data base should be a dummy entry with zero privilege and could be used to act as honeypot too.
Default accounts to be removed / blocked.
User Input validation should be a 3 step process.
Web Page / Client Side validation : Jscript.
Server (Application) : OWASP ESAPI or custom functions ocould be used.
DB: use PL/SQL functions to strip input data.
Another good utility to keep in mind is DBA_USERS_WITH_DEFPWD : contains list of users with default passwords, and with 11g all default accounts are locked.
Web application developers should be provided with 3 different user level access to be used inside web application.
Read Access : user with access to select query only.
Write access: User with select update and delete access
App_mod : access to write access plus drop and trunk.
Developers need to make sure the proper user access is used as and when required.
Note : I know a large number of developers might start crying on this that this will increase their headache but then in long run this could turn out to be a life saver.
Please share your opinion is this a good approach, is it going to help you. What do you thing should be added to this.