Securing a Global SAFe Program for a Leading Tech Company - DevSecOps by Design

Impact at a Glance  

A unified, secure, and scalable DevSecOps framework that harmonized 10+ global teams, secured the software supply chain, and enabled innovation at the speed SAFe demands. 

 

Initial Situation & Challenge 

A leading technology company was running a large-scale development program using the Scaled Agile Framework (SAFe). The program involved more than 10 globally distributed DevOps teams, including nearshore, offshore, and external service providers. This complex and decentralized structure created significant challenges for security and governance. Each team used different tools and processes, and there was no unified approach to securing the CI/CD pipelines or managing the software supply chain. The rapid pace of development required by the SAFe framework had outpaced the company’s ability to enforce consistent security controls. 

 

What Was at Stake  

Without a unified security framework, the company faced significant and escalating risks that threatened the entire program, creating distinct challenges for key leaders: 

• CISO: The absence of security guardrails created visibility gaps, and without an SBOM, third-party risks were unmanaged. 
• CIO/CTO: Insecure and fragmented pipelines across 10+ teams undermined scalability and consistency. 
• Program Leader: Late-discovered issues caused rework and delays, eroding the agility SAFe promised. 

 

Our Approach: How We Tackled It 

We implemented a secure-by-design framework that established a unified DevSecOps and supply chain security model for the entire program. The approach was transformational, not just technical: 

• Establishing a Secure Baseline: The engagement began with a comprehensive assessment of the existing CI/CD pipelines and development practices across all teams. This created a clear picture of the risks and informed the creation of a realistic, phased implementation roadmap. 
• Integrating Security into the SAFe Cadence: We became an integral part of the development rhythm. For each feature, dedicated security stories were co-created, including dependency analysis and effort estimation using t-shirt sizing. This enabled a risk-based approach where security improvements were prioritized and planned into each 3-month Program Increment (PI). By joining daily stand-ups and providing regular GRC reporting, we made security a transparent and continuous part of the agile process. 
• Securing the Software Supply Chain: We mandated the generation of an SBOM for all applications. This was coupled with the integration of Software Composition Analysis (SCA) tools into the pipelines to automatically detect and block vulnerable third-party dependencies, ensuring visibility into the open-source landscape. 
• Implementing DevSecOps Guardrails: A set of risk-based, automated security guardrails was embedded directly into the CI/CD pipelines. This went beyond simply adding tools – it created a secure development ecosystem:  
• Automated Security Testing: A multi-layered testing strategy was integrated, combining Static Application Security Testing (SAST) to find flaws early in the uncompiled code, and Dynamic Application Security Testing (DAST) to identify runtime vulnerabilities. This combination provided comprehensive coverage, with results fed directly back to developers for immediate remediation. 
• Hardening the CI/CD Environment: A centralized secrets management solution was implemented, replacing high-risk practices like hardcoded credentials or secrets stored in environment variables. Access control was fundamentally re-architected, implementing not only Role-Based Access Control (RBAC) for users but also Pipeline-Based Access Control (PBAC) to ensure that the pipeline execution nodes themselves operated with minimal necessary permissions and were reverted to a clean state after each run. 
• Ensuring Code Integrity: To prevent unauthorized code injection, a strict policy of signing commits was enforced in the Source Code Management (SCM) system, creating a verifiable link between a developer and their code. This was extended to the final build stage, where artifact signing was implemented in the container repository to guarantee that only trusted, untampered artifacts were deployed to production. 
• Empowering the Teams: We provided targeted training and hands-on support to all 10+ teams, equipping them with the knowledge and tools needed to take ownership of security within their agile workflows. 

 

Measurable Results from the Partnership 

The engagement delivered a secure and efficient foundation for the company’s global development program, enabling them to innovate at scale without compromising on security: 

• Unified Security Across All Teams: The new framework established a consistent and measurable security baseline for all internal and external development teams, ensuring that all code met the company’s security standards. 
• Significant Reduction in Production Vulnerabilities: The “shift-left” approach, with automated security testing integrated into the pipelines, led to a reduction of up to 90% in critical vulnerabilities reaching production. 
• Full Supply Chain Visibility: With a complete SBOM for every release, the company gained full visibility into its software dependencies, enabling rapid response to new supply chain threats. 
• Accelerated and More Secure Releases: By automating security and providing developers with immediate feedback, the framework eliminated security as a bottleneck, accelerating secure software delivery cycles by more than 50%. 
• Built a Culture of Security: The client’s distributed teams were empowered with the skills and tools to build security into their daily work, creating a sustainable culture of DevSecOps that supports the principles of the SAFe framework. 

This approach has since been extended to other global programs, helping enterprises across industries – from finance to telecommunications – accelerate secure innovation at scale.