Best practice for storing database password

Question

I am developing a custom server application that will access a database. I need to decide where I will store the credentials (and to address) to that server.

A common so

Answer 1

Lock it down. Prevent Mr. Evil from gaining root. I know, easy right?

Write a secure application and keep your application server locked down. Follow best practices there, and that's most of the work.

When I've setup databases in a secure environment, the only server that was on the same physical network with the database server was the application server. There were two ways to access the database server:

1. Application server
2. Console

Therefore, in order to compromise the database server, they'd have to compromise the application server.

So, lock down the application server. Of course the only thing worse than being compromised is being compromised and not knowing about it. If you do discover a compromise, you need to fix the vulnerability if there was one. Forensics are important here (enable logs and monitor them). You also need a recovery plan in place.

Prevention, detection, correction, and recovery are paramount.