CTO of Sentrigo put together a list of commond misconception about database security, I find it quite useful, two of the misconceptions below, you can find the full
list here
“My databases are all behind firewalls and IDS/IPS so I’m protected”--Not so. Attacks can originate inside the organization, and even those originating from the outside can bypass firewalls and IDS/IPS. An SQL injection attack would use an open port via a web application, for instance, and if slightly altered from common SQL injection signatures it would easily evade IDS/IPS.
2. “We have full auditing turned on, so we know everything that’s happening in the database”--First off, it’s unlikely that you have full DBMS auditing turned on. You may have told the DBA to do it, and maybe he did, but then 5 minutes later he turned it off. Why? Because it made the database crawl. Additionally, even with full audit turned on you will only know of an attack after it already happened. Additionally, many privileged users can turn audit off or delete/tamper with the audit trail and do things without leaving a trace.