RiverSafe Limited - Experts & Thought Leaders

A major oil and gas organization faced a critical challenge in securing its applications at scale. With a vast, globally distributed technical organization, security and development teams operated in isolation, each focused on their own priorities. This siloed approach created significant bottlenecks, leading to slow vulnerability remediation, missed security risks, and frustrated developers. A common problem in large enterprises In large, complex organizations, security is often seen as a gatekeeper rather than an enabler. Security teams are tasked with identifying vulnerabilities but lack the mechanisms to ensure fixes are implemented effectively. Meanwhile, development teams are under pressure to deliver features rapidly, often seeing security as an external function rather than a core part of their workflow. This misalignment results in: Backlogs of Unresolved Security Issues: Security vulnerabilities piled up because developers had no direct accountability for remediation. Without embedded security expertise, fixes were delayed or deprioritised in favor of feature development. Slow, Inefficient Security Processes: Security was treated as an external checkpoint rather than an integrated function. Developers had to hand off security-related work, leading to long lead times between identifying and resolving vulnerabilities—sometimes spanning multiple sprints. Lack of Clear Ownership: Security was considered “someone else’s problem,” rather than a shared responsibility. Without direct security support within development teams, security best practices were inconsistently applied, increasing risk across the organization. Developer Resistance to Security Processes: Developers often saw security as a blocker rather than a partner. Security reviews felt like an extra burden, slowing down releases rather than enabling a more secure development process. These challenges are not unique to this organization—they are common across large enterprises where scale, complexity, and competing priorities make security integration difficult. The organization knew it needed a different approach—one that would embed security into the development lifecycle without slowing down innovation. The solution: Embedding security engineers into development teams To break down silos and improve security efficiency, the organization introduced Embedded Security Engineers within development teams. This approach ensured that security expertise was always available where it was needed, eliminating bottlenecks and enabling a proactive security culture. Key Changes Implemented: Security Engineers Became Part of Dev Teams Instead of working as an external function, security engineers were placed directly into development teams. This eliminated handoffs and competing priorities, ensuring security expertise was built into day-to-day development. Security Became Seamless and Developer-Friendly Security engineers worked alongside developers to automate security checks and integrate them into existing workflows. Hands-on support was provided to help developers understand why security fixes mattered and how to address them efficiently. Faster Vulnerability Remediation With security engineers embedded, vulnerabilities were now identified, triaged, and resolved within the same sprint. The organization moved from reactive, end-of-cycle security interventions to continuous security integration. Building Long-Term Security Capability Developers were trained to proactively manage security in their codebases, reducing dependency on external security teams. Teams created and maintained their own threat models within a few sprints, enabling self-sufficiency in secure development. Minimised Dependency on External Reviews Security was no longer an afterthought that required costly external audits or last-minute fixes. By shifting security “left” into development, teams could proactively manage risks before they became critical issues. The outcome: Security as an enabler, not a barrier By embedding security engineers within development teams, the organization achieved: Faster Security Fixes What once took multiple sprints to resolve was now often fixed within a single sprint. Security became an enabler of fast, secure development rather than a blocker. Stronger Collaboration Between Dev and Security Security was no longer a separate function—it was part of the team. Developers had immediate access to security guidance, leading to better, more secure coding practices. Reduced Bottlenecks and Handoffs Security was no longer a slow-moving external review process. Developers had real-time security support, eliminating delays in identifying and fixing vulnerabilities. A Scalable, Self-Sufficient Security Culture Developers took ownership of security, reducing reliance on a stretched central security team. Teams became security champions within their own projects, ensuring security was integrated into every stage of development. Conclusion: A model for large-scale security integration This transformation enabled the organization to scale its security practices without slowing down development. By embedding security engineers within development teams, they shifted from reactive security fixes to proactive security integration, ensuring a faster, more resilient approach to securing applications.

As one of the UK’s best-known retailers, the customer faced relentless web and API attacks, putting customer data, revenue, and brand trust at risk. To strengthen their defences, they invested in Akamai WAAP, a widely adopted web and API protection platform that quickly became a cornerstone of their security strategy. But like any powerful technology, it required ongoing expertise and fine-tuning to deliver its full potential. Development and security teams Without that focus, false positives slowed releases, security policies became outdated, and the platform wasn’t optimized to defend against the evolving threats. This created friction between the development and security teams. Yet Akamai remained a critical part of their defense strategy, providing some of the strongest protections available in the market. The challenge wasn’t the platform, it was ensuring it was continuously optimized and aligned to business needs. That’s when they turned to RiverSafe. They needed a partner to unlock the full value of their Akamai investment, managing, optimising, and evolving the platform, without the cost and risk of building specialist expertise in-house.

As part of a major SOC transformation programme, the customer, a global telco, was migrating to Google SecOps to modernise its threat detection and response capabilities. But while the new platform offered world-class analytics and detection tools, the supporting processes were manual, inconsistent, and hard to govern. YARA-L detection rules were deployed manually via the console, making governance and version control difficult. This made it hard to maintain consistent logic across environments and slowed the rollout of new detections. Reference data, the shared intelligence that detection logic depends on, was stored in spreadsheets and local repositories. Analysts worked from their own versions, causing data drift, duplication, and false positives. And configuring log forwarders was a repetitive, manual task. Every new data source required unique setup and permissions, creating delays, errors, and gaps in visibility. The result was a SOC that had the right tools, but lacked the agility and assurance to use them effectively. Changes took too long, governance was reactive, and visibility was inconsistent. The approach: Embedding DevOps discipline into SecOps RiverSafe combined its SOC, SIEM, and DevSecOps expertise to design a Terraform-based automation framework, one of the first enterprise-scale deployments using the official Google SecOps Terraform provider. This became the foundation for a Detection-as-Code model that made detections, data, and log ingestion fully version-controlled, governed, and repeatable. What they did: 1. Detection-as-Code Built Terraform modules to define, validate, and deploy YARA-L rules directly from version-controlled YAML manifests. Integrated automated validation pipelines via GitHub Actions to ensure rule syntax compliance and prevent deployment of invalid logic. Implemented Git tag–based versioning, ensuring each deployment of detection rules was tied to a specific, immutable version for traceability and rollback. Supported environment-based branching (pre-production and production), enabling controlled promotion of validated detections. Outcome: Detection logic could now be deployed in minutes, not days, with full traceability and rollback. The SOC gained the ability to respond to emerging threats faster, with total confidence in what was running in each environment. 2.     Reference Data Automation Created Terraform resources for defining and maintaining shared reference lists (e.g., IP, domain, and hash intelligence). Implemented efficient delta updates, ensuring only modified entries were applied to Google SecOps, improving accuracy and auditability. Introduced schema validation and consistency enforcement across multiple detection dependencies. Outcome: Reference data became a single source of truth – consistent, accurate, and always up to date. This eliminated conflicting detections and false positives, improving the reliability of alerts and reducing noise in the SOC. 3.     Forwarder and Log Ingestion Automation Automated configuration of Google SecOps forwarders for key data sources such as firewall, proxy, and endpoint logs. Standardized IAM setup, service accounts, and routing configuration to ensure secure and repeatable onboarding of new feeds. Outcome: Reduced onboarding time from hours to minutes, ensuring secure, consistent ingestion of new log sources and faster access to critical telemetry across the enterprise The impact: Faster, stronger, more secure operations By embedding automation and DevOps practices into its SOC, the organization achieved measurable improvements in efficiency, governance, and resilience: 80% reduction in manual configuration, freeing analysts to focus on threat hunting, not maintenance. Near-zero configuration drift between environments, delivering consistent coverage across global operations. Faster rule deployment, from hours or days to minutes, accelerating the SOC’s ability to respond to threats. Clear governance and rollback capability, ensuring every change was tracked, tested, and trusted. The SOC is now faster, leaner, and more confident and able to operate at enterprise scale with automation as its foundation. It’s a model for how modern enterprises can evolve from traditional operations to automated, code-driven security at scale.