New framework for HSL’s secure software development

In a rapidly changing world, the quality of information security must be constantly monitored at all levels of software and service development and production. HSL needed visibility into the security of software development: how secure are the company’s services being developed?

HSL, which provides transport services, doesn’t develop the software itself but works with dozens of different software development companies. Companies often have their own standards and ways of working. Many companies in the mobility services sector face similar challenges, with the responsibility for software security falling on the shoulders of software companies.

HSL wanted Solita to define a framework for software development security. The company also needed support in implementing the ISO 27001 management system standard. Solita was asked to provide insight on how to meet the requirements in the software development process.

DevSecOps brings quality gates to all stages of development

We defined a framework for secure software development by following the principles of DevSecOps implementation. The idea is that the implementation creates security and quality gates for every stage of the development process, from the very beginning.

Our goal in this collaboration is to minimise the time spent by software developers on separate security audits in the future. Instead, they can be confident that the chosen security development models, tools and automation will support day-to-day development and guide them towards more secure solutions from the start.

“We wanted to bring tools and practices that facilitate communication and harmonise security practices to the software developers used by HSL,” says Prencipe.

Security starts with the teams

The collaboration has increased HSL’s understanding that security always starts with teams.

“Team-based security is the only way to implement effective security in software development. Top-down command and control doesn’t work or provide enough detailed information about security. It is important to understand that security always starts at the execution level,” says Prencipe.

The aim of the partnership is to make the everyday life of HSL’s software developers easier in a number of ways. Solita has selected a set of tools for software developers and has defined initial guidelines for their work. HSL is also committed to the implementation of the Security Champion model.

Solita will assist HSL in tailoring the model and rolling it out to the teams.

A security stakeholder is selected from each team, and the selected security champions from the different teams discuss with each other and act as a link between HSL’s cybersecurity team and the company’s business.

Open and smooth cooperation

The cooperation will continue with pilot projects for tools and practices, for which development teams and their Security Champion will be selected. Through them, information will be disseminated to all team members.

“The key to success is a strong commitment and will from the customer. The project has started very well. It’s important for companies to understand that the level of security can only be improved by dedication and investment,” says Antero Lundell, Account Director at Solita.

Business owners often lack the visibility into the security issues. They get insight into the security of implementations from testing every year or two.

The cooperation between Solita and HSL has been easy, open and smooth for both parties.

“The atmosphere is good. We’ve been agile in our analysis of the current situation and have been able to change course when needed and reef the sails so that we have moved forward. We are very grateful for the cooperation and expertise we have received. We have received the boost we needed to improve our security. Solitans are a very knowledgeable and skilled bunch,” says Kukko.