How HMRC Digital secures services at scale


This event took place on Sep 07, 2022



Ben Conrad | Head of Product for MDTP, HMRC

Gerald Benischke | AppSec Lead, Equal Experts


HM Revenue & Customs is the tax collection authority for the United Kingdom government. The department is responsible for the collection of revenue (taxes and duties) from all UK taxpayers, be they citizens or businesses. We work together with the Government Digital Service (GDS) and other departments to ensure the services we provide are built to common strong standards.

This session peels back the covers on what it is like to secure HMRC’s digital tax platform, which is built on AWS and comprises 1000+ microservices built by 100 teams with ~1500 deployments a month. Security incidents such as Log4Shell and news reports of data leaks are always a risk to digital services, and at HMRC Digital we’re in a position to react quickly and confidently to incidents as they occur.

We’ll share some insights into how we’ve secured the microservices that run on the platform, including:

  • identifying vulnerabilities prior to live deployments
  • increasing buy-in from teams for service security
  • leaning on an opinionated tech stack to boost our security position
  • using a service catalogue and async chat comms to power security collaboration

We will also provide some recommendations on what you can do to get started with your own AppSec programme.

This talk takes place at:

8.30am BST

9.30am SAST

1pm IST

5.30pm AEST