Re: Monitor the database?
It sounds like the next thing in security is something where each save to a script is also cryptographically signed. Here's an excellent idea from the comments on the original article:
Admin access should be restricted to only ssh/sftp sessions using PKI, so useless even if password known/brute forced. Of course one must keep the keys safe and its no protection against vulnerabilities in the web app/os itself, but patching/scanning/pen testing and finally log monitoring do the rest.