This is the Trace Id: 7d397f5df6d5481a4b0e6f81235d7306
6/26/2025

HSL improves code security and provides better services to its customers with GitHub Advanced Security for Azure DevOps

Share the story

HSL runs regional transport in the Helsinki area, accounting for about 60% of public transport journeys in Finland. Most of its revenue comes from ticket sales via its HSL app, yet among geopolitical pressures and growing threats, the company recently realized it needed better security for it.

With the app already running in Azure, and as part of efforts to strengthen its DevSecOps initiatives, HSL decided to roll out GitHub Advanced Security for Azure DevOps. This was with the aim of improving code security for both the HSL app and any other apps the team might develop in the future.

The new tool has given HSL far greater visibility of its code security vulnerabilities than ever before—helping the teams responsible for it to become more aware of what happens to its app and better protect it.

HSL

“December 12, 2022, was the worst day of my entire working life.” 

Petri Kukko, Chief Information Security Officer and Head of Cybersecurity Unit at HSL Helsinki Region Transport, is remembering the day a cyberattack hit his company and brought its whole operations to a halt. 

As the authority responsible for planning and running regional transport in the Helsinki area, HSL accounts for about 60% of all public transport journeys in Finland. Every day, over 1.6 million people rely on its network for all kinds of needs. 

Yet on that day, and in the blink of an eye, everything changed.

“We were completely paralyzed,” Kukko recalls. “It was a real wake-up call for us: all we had done until that point in terms of security was no longer enough. We needed to become more resilient.” 

It was a tough lesson for HSL. One that, however, the organization quickly turned into an opportunity. To boost its posture, secure its development side, and start embracing security by design. All powered by Microsoft technology. 

From national staple to international target

Running a range of services including bus, train, metro, tram, and ferry, HSL employs more than 400 people and oversees anything from ticketing to marketing to planning and more. 

Digital transformation has been a constant denominator across all these services for the last 25 years at HSL, explains Akseli Wiik, Cyber Security Specialist at HSL. “We started in the early 2000s creating products like our travel card, and have kept growing ever since,” he says. 

“Today, one of our key focuses and sources of revenue is our HSL app, a custom and customer-facing app that we use to sell tickets, provide network updates, and release timetables.” 

Much like most of its back-office systems, the app runs entirely on Microsoft technologies such as Microsoft Azure and Azure DevOps, in line with HSL’s efforts to drive more software development. 

But the more digitally present the company becomes, the bigger the considerations it has to take in matters of security and DevSecOps. “We have a very broad software development department,” says Kukko. “We have at least 30 active projects at the moment. But in the last few years we’ve had to take more and more steps to secure them. Between the pandemic and global geopolitical tensions happening around us, we’ve become an increasing target for cyberattacks. Fortunately, Microsoft has been key in helping us take the right steps and increasingly protect ourselves.” 

“Fortunately, Microsoft has been key in helping us take the right steps and increasingly protect ourselves.”

Petri Kukko, Chief Information Security Officer and Head of Cybersecurity Unit, HSL

More security to code development 

Among the most recent projects HSL has undertaken in the DevSecOps sphere is the rollout of GitHub Advanced Security for Azure DevOps. Supported by Microsoft partner Solita, this aims to improve code security for both the HSL app and any other apps the team might develop in the future. 

“We were already using Azure DevOps, so choosing GitHub Advanced Security for Azure DevOps was a natural choice for us,” says Wiik. “We needed something that would give us more visibility around code security and the software developed thanks to Microsoft’s technology, that has very much changed now. It makes us developers much more secure because we’ve now got security by design.”

Now, the team can access a clear list of vulnerabilities that they need to solve and mitigate, plus the tools and support they need to address them. 

“When we started to use it, we could see the results straight away because it's a very efficient tool,” adds Kukko. “I certainly spent a few sleepless nights when that happened. The visibility will give you pain. But we consider pain as a benefit in this matter.” 

He adds Microsoft has also been key in helping HSL ensure compliance across most of its security operations. “We handle several payment card data, so we need to follow various payment card standards which we truly couldn’t do without Microsoft tools.”

“We needed something that would give us more visibility around code security and the software developed thanks to Microsoft’s technology, that has very much changed now.”

Akseli Wiik, Cyber Security Specialist, HSL

Security awareness and a culture of security champions

Cultural transformation has been crucial to the success of the project and HSL’s wider security efforts, says Kukko. 

“People are the most powerful force you can have when it comes to transformation,” he explains. “And if you can inspire them and take them with you, you can achieve so much more.”

That’s exactly what happened with the latest DevSecOps initiatives. “One of our key requirements when we started improving our posture was that we needed some common guidelines for our teams,” comments Wiik. “To do that, we decided to adopt a security champion model.” 

As part of the initiative, various teams across the IT department elect a representative—or champion—to act as a link between HSL’s cybersecurity team and the business team, encouraging knowledge sharing and even more collaboration.  

“We now have about 10 champions, and it’s a truly great atmosphere we’ve created,” he continues. “We hold regular sessions where we come together and share experiences, information, common methods, and improve each other constantly.”

That’s ultimately where Kukko sees the future of HSL’s security initiatives going. “In order to become a security-aware organization, we need people who are truly invested in it and believe in it,” he concludes. “That’s what we’ve been looking for since the start of our project: people who are interested in security, more than knowledgeable. With the right people and partners like Microsoft on our side, we know we can really go the distance—and have a few less sleepless nights along the way, too.” 

“With the right people and partners like Microsoft on our side, we know we can really go the distance—and have a few less sleepless nights along the way, too.”

Petri Kukko, Chief Information Security Officer and Head of Cybersecurity Unit, HSL

Showing 32 of 98 categories
Showing 1-2 of 2 slides
placeholder text for image
This is placeholder text for logo
We are Microsoft

Empowering others

Our mission is to empower every person and every organization on the planet to achieve more.

  •
    Microsoft
  •
    Apple
  •
    Google
Label
placeholder text for image
This is placeholder text for logo
We are Microsoft

Empowering others

Our mission is to empower every person and every organization on the planet to achieve more.

Label
Back to carousel navigation controls
Take the next step

Fuel innovation with Microsoft

Talk to an expert about custom solutions

Let us help you create customized solutions and achieve your unique business goals.

Drive results with proven solutions

Achieve more with the products and solutions that helped our customers reach their goals.
Explore solutions

Follow Microsoft