[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Code Security: MidAmerican Energy's top priority after SQL
From: InfoSec News <alerts () infosecnews ! org>
Date: 2010-05-24 5:27:01
Message-ID: Pine.LNX.4.61.1005240026520.27307 () conundrum ! infosecnews ! org
[Download RAW message or body]
http://www.csoonline.com/article/594613/Code_Security_MidAmerican_Energy_s_top_priority_after_SQL_injection_attacks
By Bill Brenner
Senior Editor
CSO
May 21, 2010
MidAmerican Energy Company is the largest utility in Iowa, strategically
located in the middle of several major markets in the Midwest, providing
service to more than 725,000 electric customers and more than 707,000
natural gas customers in a 10,600 square-mile area from Sioux Falls,
S.D., to the Quad Cities area of Iowa and Illinois. This makes it a
tempting target for an attacker bent on striking a blow to critical
infrastructure.
Under the direction of John Kerber, manager of information protection,
MidAmerican did an extensive review of its security procedures and found
that its spread-out network had to be tightened up, particularly when it
came to Internet access. Since the company owns other utilities across
the globe [including PacifiCorp, which provides power to a large swath
of the West coast], there were too many Internet access points that
could be targeted. More importantly, though, the company found its
biggest problem in the code that makes up its myriad applications for
everything from power distribution to online billing services.
"Last May we had an incident where one of our web pages was exploited
through an SQL injection flaw," Kerber said. "It was a wake-up call that
we had vulnerabilities people could find out about."
In tackling the problem from the beginning of the app development
process, MidAmerican is following a growing trend in the infosec
community that relies less on bolt-on defenses and more on code
security.
The code security trend includes the Rugged software movement, BSIMM --
the Building Security In Maturity Model -- and Microsoft's Security
Development Lifecycle (SDL).
[...]
_______________________________________________
Best Selling Security Books and More!
Shop InfoSec News
http://www.shopinfosecnews.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic