An international oil and gas company confronted significant challenges in securing applications on a large scale.
With a vast global technical infrastructure, the separation between security and development teams led to critical security bottlenecks, slow vulnerability remediation, overlooked security risks, and frustrated developers.
Common Issues in Large Corporations
In expansive and complex enterprises, security is often perceived as a barrier rather than an enabler. Security teams focus on identifying vulnerabilities but often lack the tools necessary to ensure these issues are effectively resolved.
Simultaneously, development teams face pressure to deliver features swiftly, which fosters a view of security as an external function rather than a core aspect of their processes. This disconnect results in several challenges:
Backlogs of Unresolved Security Issues: Developers often deprioritize security fixes, leading to vulnerabilities that accumulate. Without embedded security expertise, resolving these issues is delayed in favor of feature development.
Slow, Inefficient Processes: With security functioning as an external checkpoint, developers encounter long delays between identifying and resolving vulnerabilities, often stretching over multiple sprints.
Lack of Clear Ownership: Security is viewed as "someone else's problem," which leads to inconsistent application of security best practices across the organization.
Developer Resistance: Security processes are seen as obstacles, presenting an additional burden during release phases and slowing down development rather than enhancing it.
Embedding Security Engineers in Development Teams
To address these issues and enhance security efficiency, the organization integrated Embedded Security Engineers within development teams. This strategy ensured continuous access to security expertise, reduced bottlenecks, and fostered a proactive security culture.
Key Changes Implemented:
- Security Expertise Integration: Security engineers became part of the development teams, removing the need for handoffs and aligning priorities with day-to-day development.
- Developer-Friendly Security: By working closely with developers, security engineers automated security checks and integrated these into existing workflows, providing hands-on support.
- Accelerated Remediation: Vulnerabilities were identified, prioritized, and resolved within the same sprint, transitioning from reactive interventions to continuous security integration.
- Long-Term Capability Building: Developers were trained to manage security proactively, allowing for sustainable threat model creation and execution within a few sprints.
- Reduced External Dependency: By integrating security "left" into development processes, the need for costly audits and last-minute fixes was minimized.
Security as an Enabler
Embedding security engineers within development teams led to several positive outcomes, including:
Quicker Security Fixes: Issues that previously spanned multiple sprints were often resolved within a single sprint, transforming security into a development enabler rather than a hindrance.
Enhanced Collaboration: Security became an integral part of development, facilitating immediate access to security guidance and improving coding practices.
Reduced Process Bottlenecks: Real-time security support minimized delays in vulnerability identification and resolution.
Scalable Security Culture: Developers took ownership of security, reducing the strain on central security teams and becoming self-sufficient security champions.
A Model for Security Integration at Scale
This transformation allowed the organization to enhance its security measures without hindering development progress.
By embedding security engineers in development teams, they moved from reactive fixes to proactive integration, achieving a faster, more robust approach to application security.
A major oil and gas organization faced a critical challenge in securing its applications at scale. With a vast, globally distributed technical organization, security and development teams operated in isolation, each focused on their own priorities.
This siloed approach created significant bottlenecks, leading to slow vulnerability remediation, missed security risks, and frustrated developers.
A common problem in large enterprises
In large, complex organizations, security is often seen as a gatekeeper rather than an enabler. Security teams are tasked with identifying vulnerabilities but lack the mechanisms to ensure fixes are implemented effectively.
Meanwhile, development teams are under pressure to deliver features rapidly, often seeing security as an external function rather than a core part of their workflow. This misalignment results in:
- Backlogs of Unresolved Security Issues: Security vulnerabilities piled up because developers had no direct accountability for remediation. Without embedded security expertise, fixes were delayed or deprioritised in favor of feature development.
- Slow, Inefficient Security Processes: Security was treated as an external checkpoint rather than an integrated function. Developers had to hand off security-related work, leading to long lead times between identifying and resolving vulnerabilities—sometimes spanning multiple sprints.
- Lack of Clear Ownership: Security was considered “someone else’s problem,” rather than a shared responsibility. Without direct security support within development teams, security best practices were inconsistently applied, increasing risk across the organization.
- Developer Resistance to Security Processes: Developers often saw security as a blocker rather than a partner. Security reviews felt like an extra burden, slowing down releases rather than enabling a more secure development process.
These challenges are not unique to this organization—they are common across large enterprises where scale, complexity, and competing priorities make security integration difficult. The organization knew it needed a different approach—one that would embed security into the development lifecycle without slowing down innovation.
The solution: Embedding security engineers into development teams
To break down silos and improve security efficiency, the organization introduced Embedded Security Engineers within development teams. This approach ensured that security expertise was always available where it was needed, eliminating bottlenecks and enabling a proactive security culture.
Key Changes Implemented:
- Security Engineers Became Part of Dev Teams
- Instead of working as an external function, security engineers were placed directly into development teams.
- This eliminated handoffs and competing priorities, ensuring security expertise was built into day-to-day development.
- Security Became Seamless and Developer-Friendly
- Security engineers worked alongside developers to automate security checks and integrate them into existing workflows.
- Hands-on support was provided to help developers understand why security fixes mattered and how to address them efficiently.
- Faster Vulnerability Remediation
- With security engineers embedded, vulnerabilities were now identified, triaged, and resolved within the same sprint.
- The organization moved from reactive, end-of-cycle security interventions to continuous security integration.
- Building Long-Term Security Capability
- Developers were trained to proactively manage security in their codebases, reducing dependency on external security teams.
- Teams created and maintained their own threat models within a few sprints, enabling self-sufficiency in secure development.
- Minimised Dependency on External Reviews
- Security was no longer an afterthought that required costly external audits or last-minute fixes.
- By shifting security “left” into development, teams could proactively manage risks before they became critical issues.
The outcome: Security as an enabler, not a barrier
By embedding security engineers within development teams, the organization achieved:
- Faster Security Fixes
- What once took multiple sprints to resolve was now often fixed within a single sprint.
- Security became an enabler of fast, secure development rather than a blocker.
- Stronger Collaboration Between Dev and Security
- Security was no longer a separate function—it was part of the team.
- Developers had immediate access to security guidance, leading to better, more secure coding practices.
- Reduced Bottlenecks and Handoffs
- Security was no longer a slow-moving external review process.
- Developers had real-time security support, eliminating delays in identifying and fixing vulnerabilities.
- A Scalable, Self-Sufficient Security Culture
- Developers took ownership of security, reducing reliance on a stretched central security team.
- Teams became security champions within their own projects, ensuring security was integrated into every stage of development.
Conclusion: A model for large-scale security integration
This transformation enabled the organization to scale its security practices without slowing down development.
By embedding security engineers within development teams, they shifted from reactive security fixes to proactive security integration, ensuring a faster, more resilient approach to securing applications.
