Customer Stories
Advancing Security in a High-Stakes Environment
Scaling GitHub Advanced Security across a leading European energy network operator to empower 1,000 developers and safeguard critical infrastructure.
Introduction
This case study shows how Xebia enables hundreds of employees at a leading European energy network operator to use GitHub Advanced Security (GHAS) effectively.
Partnering with Xebia, the company launched a promising GHAS train-the-trainer program. This initiative produced 12 in-house GHAS experts who will train roughly 1,000 software developers internally. Additionally, the organization identified 20 critical applications to prioritize for GHAS rollout.
At a Glance
Challenge
A leading European energy network operator needed to protect critical electricity and gas infrastructure, but early adoption of GitHub Advanced Security lagged due to limited guidance for thousands of developers
Solution
Xebia introduced a GitHub Scaled Enablement program, training 12 internal GHAS champions, prioritizing 20 critical applications, and embedding security practices into the development lifecycle through a structured train-the-trainer approach
Results
The organization gained deeper insight into GHAS, built in-house security expertise, and set up a scalable rollout that supports 1,000 GHAS licenses and drives ongoing secure development across 200 teams
Business Challenge
With thousands of employees and millions of customer connections, this energy network operator manages essential electricity and gas infrastructure across multiple regions. As a critical infrastructure company operating in a high-security environment, it must protect sensitive data, ensure reliable energy supply, and guard against cyber threats that could disrupt essential services.
Because millions of customers depend on its services, external applications must remain operational at all times. Integrating security into the development lifecycle is vital—developers need tools to quickly scan, alert, and remediate vulnerabilities. To achieve this, the company adopted GHAS for its Secret Scanning feature and the consolidation of multiple capabilities in a single platform.
However, when first introducing GHAS, the organization encountered a common pitfall: broad tool availability without sufficient guidance or training. As a result, adoption lagged and the investment was underutilized. Recognizing this, the company asked Xebia to help 1,000 developers fully leverage GHAS and strengthen overall code security.
Solution
Xebia’s engagement involved familiarizing the internal security team with all aspects of GHAS—particularly its role in enhancing the software development lifecycle—identifying critical applications for immediate focus, and training internal champions.
Given the scale of the rollout, Xebia proposed its GitHub Scaled Enablement plan to embed knowledge within the organization. The approach began with recruiting and training internal champions, equipping them with GHAS expertise and teaching skills. These champions would then cascade the training to other developers, ensuring organization-wide adoption. Additionally, Xebia helped establish a Community of Practice to share ongoing updates, insights, and best practices.
Implementation
When Xebia joined, Secret Scanning had already been enabled for all applications. Therefore, Dependency Scanning and Code Scanning became the focal points of the train-the-trainer sessions.
The sessions included:
- A custom slide deck
- Live demos to support the training
- A vulnerable repository for hands-on GHAS demonstrations
- Trainer development to enhance teaching skills
The champions demonstrated a strong understanding of GitHub and GHAS, enabling Xebia to focus more on designing the rollout strategy and positioning the security team as a key driver of GHAS adoption.
Results
Deeper Insight
Improved understanding of GHAS and its role in producing secure software.
Critical Focus
Identification of 20 high-priority applications for GHAS enhancement.
Embedded Security
Security practices integrated into the full application development lifecycle.
In-House Expertise
12 professionals now serve as internal GHAS trainers.
Widespread Adoption
Internal champions are equipped to sustain ongoing GHAS adoption.
Vendor Impact
The rollout supports 1,000 GHAS licenses, contributing to GitHub’s broader success.
Lessons Learned
Xebia learned that internal security teams often prioritize tool implementation over developer workflow improvements. Creating a clear narrative about why security tools matter and how they support developer productivity is essential.
Another challenge was organizational silos—developers operated in separate groups with limited communication. Building a cross-team developer community proved critical for knowledge sharing and adoption.
Finally, developer buy-in was fundamental. Xebia’s success depended largely on the client’s internal project manager fostering engagement and enthusiasm.
Future
The organization has already seen benefits from GHAS, particularly in Secret Scanning and Dependency Scanning. The next phase will expand code scanning to all applications.
The goal is to make GHAS a standard tool across all 200 development teams. GHAS will be mandatory for the top 20 critical applications, with plans to extend it further. Each team will track adoption progress in quarterly reviews to ensure accountability.
"To be successful with GHAS, you need to demonstrate its added value to developers and help them implement the features step by step, making the teams owners of the rollout." Rob Bos, Consultant at Xebia
Contact