Helsinki Region Transport (HSL) wants to develop the security of its software development with the support of Solita and to include information security already in the early stages of service development. “We need plain language, transparency and measurability in our service development from an information security perspective. In today’s global environment, we need to be able to prepare for risks at all levels of operation. We are grateful for Solita’s expertise and look forward to continuing our cooperation,” says Petri Kukko, HSL’s Chief Information Security Officer.
In a rapidly changing world, the quality of information security must be constantly monitored at all levels of software and service development and production. HSL needed visibility into the security of software development: how secure are the company’s services being developed?
HSL, which provides transport services, doesn’t develop the software itself but works with dozens of different software development companies. Companies often have their own standards and ways of working. Many companies in the mobility services sector face similar challenges, with the responsibility for software security falling on the shoulders of software companies.
HSL wanted Solita to define a framework for software development security. The company also needed support in implementing the ISO 27001 management system standard. Solita was asked to provide insight on how to meet the requirements in the software development process.
DevSecOps brings quality gates to all stages of development
We defined a framework for secure software development by following the principles of DevSecOps implementation. The idea is that the implementation creates security and quality gates for every stage of the development process, from the very beginning.
Our goal in this collaboration is to minimise the time spent by software developers on separate security audits in the future. Instead, they can be confident that the chosen security development models, tools and automation will support day-to-day development and guide them towards more secure solutions from the start.
“We wanted to bring tools and practices that facilitate communication and harmonise security practices to the software developers used by HSL,” says Prencipe.
Security starts with the teams
The collaboration has increased HSL’s understanding that security always starts with teams.
“Team-based security is the only way to implement effective security in software development. Top-down command and control doesn’t work or provide enough detailed information about security. It is important to understand that security always starts at the execution level,” says Prencipe.
The aim of the partnership is to make the everyday life of HSL’s software developers easier in a number of ways. Solita has selected a set of tools for software developers and has defined initial guidelines for their work. HSL is also committed to the implementation of the Security Champion model.
Solita will assist HSL in tailoring the model and rolling it out to the teams.
A security stakeholder is selected from each team, and the selected security champions from the different teams discuss with each other and act as a link between HSL’s cybersecurity team and the company’s business.