Company is evaluating financial software from three different vendors, and one of the reviews is assigned to this pilot fish.

“The one I was given to look at was originally written for Microsoft SQL Server, but was recently ported to Oracle,” fish says. “All the source code was provided, along with a non-disclosure agreement, of course.

“It relied heavily on a large number of database-compiled PL/SQL packages and stand-alone procedures/functions, which is usually a good design. All the SQL needed was embedded in the database, and the front-end only needed to call these routines.”

But as fish quickly discovers when he peruses the source code, all those packages have been compiled under the SYSTEM schema, which means they’re running with almost all available administrative privileges.

To read this article in full, please click here