I'm not sure about Oracle specifics ... but generally, a good model is as follows:
Create multiple database users, each with different levels of database access, depending on their role. These db users do not correspond to actual users, instead they correspond to roles, probably about 4: full access to create/drop/update tables etc., write access to update tables, read access to select from tables, execute stored procedures and functions.
For any type of modification to the data that your ASP.NET app requires, encapsulate this operation in a stored procedure. Essentially you write a data-access interface at the stored procedure level.
Create a "stored_procedure_executor" db user, whose access only permits executing certain stored procedures (and functions). This user does NOT have access to CREATE/DROP/UPDATE/SELECT directly from tables.
In your ASP.NET application, you only need to store/provide the connection string (db user login information) for the "stored_procedure_executor" db account.
During development, maintenance, support you will need the ability to CREATE/DROP/UPDATE/SELECT directly, and for this you can create additional db users with the appropriate level of access. But you will use these db accounts from db management tools, not via ASP.nET. Thus, the login info will never need to be exposed at the ASP.NET level.
This is primarily guided by security concerns, but also can improve performance as it forces you to think about the way/patterns in which the data will be accessed, and thus allows you to optimize both the structure of the database, as well as the implementation of the most-often used queries (embedded in stored procedures).