Oracle Database security vs Application Security

I come from an EBS background where all applications users log into the database as APPS, so the application security is totally different then the Database security. Whereas RMS uses database security to control application security.  I work for a company that has been using RMS for about 2 years and we are starting to bring our RMS support in-house, so many of our security policies are just now being written. Also, we are a small shop, so production support is handled by the development staff.

I am struggling with how to reconcile production application access vs database access. I would like to allow the developers to be able to perform the normal updates and such through the application, but then restrict their database access to read-only, to prevent people from making direct updates to the various tables. But, since if you have ability to update via the App, you can also update via the database, I am at a loss of how to achieve this. I've debated creating database users separate from the application database users, but nothing would prevent a user from simply connecting