HSL – Helsinki region transport

New framework for HSL’s secure software development

Case HSL

Helsinki Region Transport (HSL) wants to develop the security of its software development with the support of Solita and to include information security already in the early stages of service development. “We need plain language, transparency and measurability in our service development from an information security perspective. In today’s global environment, we need to be able to prepare for risks at all levels of operation. We are grateful for Solita’s expertise and look forward to continuing our cooperation,” says Petri Kukko, HSL’s Chief Information Security Officer.

In a rapidly changing world, the quality of information security must be constantly monitored at all levels of software and service development and production. HSL needed visibility into the security of software development: how secure are the company’s services being developed?

HSL, which provides transport services, doesn’t develop the software itself but works with dozens of different software development companies. Companies often have their own standards and ways of working. Many companies in the mobility services sector face similar challenges, with the responsibility for software security falling on the shoulders of software companies.

HSL wanted Solita to define a framework for software development security. The company also needed support in implementing the ISO 27001 management system standard. Solita was asked to provide insight on how to meet the requirements in the software development process.

Results

  • HSL’s security awareness has improved significantly: team-based security is the most effective way to ensure secure software development work
  • Implementing the DevSecOps approach to software development brings quality assurance to all stages of software development
  • HSL receives documentation for its security processes
  • There will be a significant increase in the transparency of work monitoring
  • Increased understanding of the ISO 27001 management system
  • Easier implementation and enforcement of requirements
  • HSL’s commitment to systematically develop software development security is strengthened
Shared responsibility too often means that no one has it. We want to define clear standards and responsibilities for security in software development for HSL and its partner companies.

Massimo Prencipe Security Specialist, Solita

DevSecOps brings quality gates to all stages of development

We defined a framework for secure software development by following the principles of DevSecOps implementation. The idea is that the implementation creates security and quality gates for every stage of the development process, from the very beginning.

Our goal in this collaboration is to minimise the time spent by software developers on separate security audits in the future. Instead, they can be confident that the chosen security development models, tools and automation will support day-to-day development and guide them towards more secure solutions from the start.

“We wanted to bring tools and practices that facilitate communication and harmonise security practices to the software developers used by HSL,” says Prencipe.

The aim is to integrate security into service development from the very beginning. We also want the process to be as transparent as possible. In today’s fast-changing world, it isn’t enough to focus on security only in the audit at the end of the process.

Petri Kukko Chief Information Security Officer, HSL

Security starts with the teams

The collaboration has increased HSL’s understanding that security always starts with teams.

“Team-based security is the only way to implement effective security in software development. Top-down command and control doesn’t work or provide enough detailed information about security. It is important to understand that security always starts at the execution level,” says Prencipe.

The aim of the partnership is to make the everyday life of HSL’s software developers easier in a number of ways. Solita has selected a set of tools for software developers and has defined initial guidelines for their work. HSL is also committed to the implementation of the Security Champion model.

Solita will assist HSL in tailoring the model and rolling it out to the teams.

A security stakeholder is selected from each team, and the selected security champions from the different teams discuss with each other and act as a link between HSL’s cybersecurity team and the company’s business.

Case HSL
During the autumn we’ve done an initial maturity analysis – where are we now? This has been successfully completed and we will continue to work with Solita into the actual development phase.

Petri Kukko Chief Information Security Officer, HSL

Open and smooth cooperation

The cooperation will continue with pilot projects for tools and practices, for which development teams and their Security Champion will be selected. Through them, information will be disseminated to all team members.

“The key to success is a strong commitment and will from the customer. The project has started very well. It’s important for companies to understand that the level of security can only be improved by dedication and investment,” says Antero Lundell, Account Director at Solita.

Business owners often lack the visibility into the security issues. They get insight into the security of implementations from testing every year or two.

The world is changing rapidly. Unfortunately, interest in information security is often only awakened after something has happened. It is important to raise the level of security awareness at all levels of the company.

Antero Lundell Account Director, Solita

The cooperation between Solita and HSL has been easy, open and smooth for both parties.

“The atmosphere is good. We’ve been agile in our analysis of the current situation and have been able to change course when needed and reef the sails so that we have moved forward. We are very grateful for the cooperation and expertise we have received. We have received the boost we needed to improve our security. Solitans are a very knowledgeable and skilled bunch,” says Kukko. 

Please accept marketing cookies to watch this video.

Read more about how we use
cookies in our privacy policy.

See Solita Summit 2024 recording where Petri Kukko from HSL and Solita’s Massimo Prencipe talk about securing software in the public transportation business.

Contact us for more!