Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Code auditing essential for utilities protection

Fortify : 31 March, 2009  (Technical Article)
Analysis and audit of custom code an essential element of protecting utility networks from being hacked according to Fortify
Commenting on the reported vulnerability of the energy and utility networks to external attacks by hackers, Fortify Software, the software security assurance experts, says that the custom code seen in many energy applications means that program code auditing and analysis is now a must for security.

'The problem facing IT managers within energy companies is that a lot of programs they use on their IT resources are either heavily customised or written from scratch, such as SCADA applications,' said Rob Rachwald, Fortify's Director of Product Marketing.

'Because of this, the code auditing and review process must involve building security into the software from the ground level upwards. The problem is, however, that this is not a frequently used mantra in the energy industries, many of whom use modified Windows 98 and even DOS applications dating back several years,' he added.

According to Rachwald, the process of integrating security within the program code of energy companies is not to build operational standards, but preventative ones.

Rachwald says that Fortify has been working with Cigital, a consulting firm specialising in software security, to develop the 'Building Security In Maturity Model (BSIMM),' a set of benchmarks for developing and growing an enterprise-wide software security programme.

The BSIMM programme, details of which were released in early March,says Rachwald, are highly applicable to the reported security worries surrounding the vulnerability of utility, and in particular, energy networks, since they create benchmarks where none existed previously.

Under BSIMM, he explained, Fortify and Cigital have developed a structured set of practices based on real-world data and which provides an insight on what successful organisations actually do to build security into their software.

It also, he says, gives developers an understanding of how to mitigate the business risk associated with insecure applications.

'The North American Electric Reliability Corporation - NERC - has also been working on required source code reviews. This is especially relevant given the trend to using open source programs as a baseline for energy company customised software,' he said.

'Using the NERC approach to code auditing and reviewing is an excellent starting point on which to build a program audit process and a great step towards engendering a preventative mindset on the software development front,' he added.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo