[ISN] Code Security: MidAmerican Energy's top priority after SQL injection attacks

http://www.csoonline.com/article/594613/Code_Security_MidAmerican_Energy_s_top_priority_after_SQL_injection_attacks

By Bill Brenner
Senior Editor
CSO
May 21, 2010

MidAmerican Energy Company is the largest utility in Iowa, strategically 
located in the middle of several major markets in the Midwest, providing 
service to more than 725,000 electric customers and more than 707,000 
natural gas customers in a 10,600 square-mile area from Sioux Falls, 
S.D., to the Quad Cities area of Iowa and Illinois. This makes it a 
tempting target for an attacker bent on striking a blow to critical 
infrastructure.

Under the direction of John Kerber, manager of information protection, 
MidAmerican did an extensive review of its security procedures and found 
that its spread-out network had to be tightened up, particularly when it 
came to Internet access. Since the company owns other utilities across 
the globe [including PacifiCorp, which provides power to a large swath 
of the West coast], there were too many Internet access points that 
could be targeted. More importantly, though, the company found its 
biggest problem in the code that makes up its myriad applications for 
everything from power distribution to online billing services.

"Last May we had an incident where one of our web pages was exploited 
through an SQL injection flaw," Kerber said. "It was a wake-up call that 
we had vulnerabilities people could find out about."

In tackling the problem from the beginning of the app development 
process, MidAmerican is following a growing trend in the infosec 
community that relies less on bolt-on defenses and more on code 
security.

The code security trend includes the Rugged software movement, BSIMM -- 
the Building Security In Maturity Model -- and Microsoft's Security 
Development Lifecycle (SDL).

[...]


_______________________________________________
Best Selling Security Books and More!
Shop InfoSec News
http://www.shopinfosecnews.org/