A significant oil and gas company encountered critical obstacles in scaling the security of its global applications. With a dispersed technical workforce, their security and development departments operated separately, each adhering to its own priorities.
This segmented approach led to considerable delays in addressing vulnerabilities, missed security risks, and dissatisfaction among developers.
A Common Industry Challenge
In large, complex enterprises, security is often perceived as a gatekeeper rather than an enabler. Security teams focus on spotting vulnerabilities but often lack effective mechanisms for implementing fixes.
Concurrently, development teams, under pressure to deliver features quickly, tend to view security as an external element instead of a core aspect of their processes. This misalignment results in several issues:
- Backlogs of Unresolved Security Issues: Security vulnerabilities accumulated as developers lacked direct accountability, often prioritising feature development over remediation.
- Slow, Inefficient Security Processes: Security functioned as an external checkpoint, causing delays in addressing vulnerabilities that could stretch over multiple development sprints.
- Lack of Clear Ownership: Security was seen as a separate responsibility, leading to inconsistent application of best practices and increased organisational risk.
- Developer Resistance: Security reviews were often perceived as an additional burden, hindering release processes instead of supporting secure development.
These challenges are prevalent across large organisations where scale and competing priorities complicate security integration. Recognising the need for a new approach, the company opted to integrate security within its development lifecycle proactively without hindering innovation.
Embedding Security Engineers in Development Teams
To dismantle silos and enhance security efficiency, the company embedded Security Engineers within its development teams, ensuring immediate availability of security expertise and fostering a proactive security culture.
- Integration of Security Engineers: Security professionals became integral members of development teams, integrating security expertise into daily operations.
- Seamless and Developer-Friendly Security: By partnering with developers, security engineers automated security checks and integrated them into existing workflows.
- Accelerated Vulnerability Remediation: Vulnerabilities were identified and resolved within the same sprint, transitioning to an ongoing cycle of security integration.
- Building Long-Term Capability: Developers were trained to manage security within their codebases, fostering self-sufficiency and reducing reliance on external teams.
- Minimised External Reviews: Shifting security efforts to the development stage allowed teams to manage risks proactively and avoid costly after-the-fact solutions.
The Outcome: Security as an Enabler
By embedding security engineers in development teams, the company realised several benefits:
- Faster Security Fixes: Vulnerability resolution times improved, often being completed within a single development sprint.
- Enhanced Collaboration: Security became intrinsic to development teams, facilitating immediate access to security guidance and fostering better coding practices.
- Reduced Bottlenecks: Real-time support from security reduced delays in identifying and fixing vulnerabilities.
- Scalable Security Culture: Developers assumed ownership of security, creating a sustainable model that integrated security across all development stages.
Overall, this transformation allowed the company to efficiently scale its security protocols while maintaining development momentum. Embedding security engineers shifted their approach from reactive fixes to proactive security integration, enabling a more robust and rapid method for securing applications.
A major oil and gas organisation faced a critical challenge in securing its applications at scale. With a vast, globally distributed technical organisation, security and development teams operated in isolation, each focused on their own priorities.
This siloed approach created significant bottlenecks, leading to slow vulnerability remediation, missed security risks, and frustrated developers.
A common problem in large enterprises
In large, complex organisations, security is often seen as a gatekeeper rather than an enabler. Security teams are tasked with identifying vulnerabilities but lack the mechanisms to ensure fixes are implemented effectively.
Meanwhile, development teams are under pressure to deliver features rapidly, often seeing security as an external function rather than a core part of their workflow. This misalignment results in:
- Backlogs of Unresolved Security Issues: Security vulnerabilities piled up because developers had no direct accountability for remediation. Without embedded security expertise, fixes were delayed or deprioritised in favour of feature development.
- Slow, Inefficient Security Processes: Security was treated as an external checkpoint rather than an integrated function. Developers had to hand off security-related work, leading to long lead times between identifying and resolving vulnerabilities—sometimes spanning multiple sprints.
- Lack of Clear Ownership: Security was considered “someone else’s problem,” rather than a shared responsibility. Without direct security support within development teams, security best practices were inconsistently applied, increasing risk across the organisation.
- Developer Resistance to Security Processes: Developers often saw security as a blocker rather than a partner. Security reviews felt like an extra burden, slowing down releases rather than enabling a more secure development process.
These challenges are not unique to this organisation—they are common across large enterprises where scale, complexity, and competing priorities make security integration difficult. The organisation knew it needed a different approach—one that would embed security into the development lifecycle without slowing down innovation.
The solution: Embedding security engineers into development teams
To break down silos and improve security efficiency, the organisation introduced Embedded Security Engineers within development teams. This approach ensured that security expertise was always available where it was needed, eliminating bottlenecks and enabling a proactive security culture.
Key Changes Implemented:
- Security Engineers Became Part of Dev Teams
- Instead of working as an external function, security engineers were placed directly into development teams.
- This eliminated handoffs and competing priorities, ensuring security expertise was built into day-to-day development.
- Security Became Seamless and Developer-Friendly
- Security engineers worked alongside developers to automate security checks and integrate them into existing workflows.
- Hands-on support was provided to help developers understand why security fixes mattered and how to address them efficiently.
- Faster Vulnerability Remediation
- With security engineers embedded, vulnerabilities were now identified, triaged, and resolved within the same sprint.
- The organisation moved from reactive, end-of-cycle security interventions to continuous security integration.
- Building Long-Term Security Capability
- Developers were trained to proactively manage security in their codebases, reducing dependency on external security teams.
- Teams created and maintained their own threat models within a few sprints, enabling self-sufficiency in secure development.
- Minimised Dependency on External Reviews
- Security was no longer an afterthought that required costly external audits or last-minute fixes.
- By shifting security “left” into development, teams could proactively manage risks before they became critical issues.
The outcome: Security as an enabler, not a barrier
By embedding security engineers within development teams, the organisation achieved:
- Faster Security Fixes
- What once took multiple sprints to resolve was now often fixed within a single sprint.
- Security became an enabler of fast, secure development rather than a blocker.
- Stronger Collaboration Between Dev and Security
- Security was no longer a separate function—it was part of the team.
- Developers had immediate access to security guidance, leading to better, more secure coding practices.
- Reduced Bottlenecks and Handoffs
- Security was no longer a slow-moving external review process.
- Developers had real-time security support, eliminating delays in identifying and fixing vulnerabilities.
- A Scalable, Self-Sufficient Security Culture
- Developers took ownership of security, reducing reliance on a stretched central security team.
- Teams became security champions within their own projects, ensuring security was integrated into every stage of development.
Conclusion: A model for large-scale security integration
This transformation enabled the organisation to scale its security practices without slowing down development.
By embedding security engineers within development teams, they shifted from reactive security fixes to proactive security integration, ensuring a faster, more resilient approach to securing applications.
