The SDL Chronicles – How an Engineering Culture Change Driven by Security Needs Paid Off

We recently had the opportunity to get an inside look into a large company’s journey addressing a web application security incident that led to a deep analysis and change in how a development organization builds security into their software development process. 


MidAmerican Energy Holdings Company is a global leader producing energy from diversified fuel sources for the U.S. and U.K. consumer markets with approximately 6.9 million electricity and gas customers worldwide. In mid-May 2008, the MidAmerican Energy website was under attack from a botnet titled banner82. Botnets are networks of compromised computers controlled by hackers known as “bot-herders” and have become a serious problem in cyberspace.


The company has a long tradition of customer service so this was a very important issue to them. They surveyed industry best practices and chose the Microsoft Security Development Lifecycle (SDL) as their preferred process for developing secure software and changing their engineering practices.


This story is captured in a new case study that takes you through the entire story of the cyber-attack and steps to resolution. Important issues show up like the need for executive support and how to get everyone onboard as MidAmerican raised security development as a central focus for their internal development group moving forward. The case study validates the need to make deep changes when necessary within the software development culture versus performing “security around the edges”. Other important insights detail how an aggressive timeline created focus and gave everyone a clear goal. The case study reports on how the company was able to significantly reduce the number of vulnerabilities and meet their security goals while setting the company up for long term success.


What we found particularly interesting was that after they went through this experience, MidAmerican was not only creating more secure applications but they also found something they hadn’t counted on. The SDL’s process requirements and the resultant engineering culture shift had brought together the entire development organization with QA in a way they hadn’t seen previously. Together they engaged in the SDL process and as a result there were fewer security bugs that were found and needed to be fixed late in the process – when it is most expensive. MidAmerican saw a real productivity gain out of their development organization, not just better application security. These ROI results mirror the key findings from the recent Forrester Consulting thought leadership paper as well as the Aberdeen Group research report. You might also want to take a look at the SDL Progress Report as it provides much of the same information that MidAmerican used to make their decision to implement the SDL.


Check out this fascinating real life story that we often don’t get to hear.



About the Author

Trustworthy Computing, Microsoft

Douglas Cavit helps protect and secure global critical information infrastructure through technology innovation and collaborative efforts with others in industry and government. Specifically, he drives forward the SDL process as a methodology to improve development and implementation of technology in Read more »