HM Revenue & Customs is the tax collection authority for the United Kingdom government. The department is responsible for the collection of revenue (taxes and duties) from all UK taxpayers, be they citizens or businesses. We work together with the Government Digital Service (GDS) and other departments to ensure the services we provide are built to common strong standards.
This session peels back the covers on what it is like to secure HMRC’s digital tax platform, which is built on AWS and comprises 1000+ microservices built by 100 teams with ~1500 deployments a month. Security incidents such as Log4Shell and news reports of data leaks are always a risk to digital services, and at HMRC Digital we’re in a position to react quickly and confidently to incidents as they occur.
We’ll share some insights into how we’ve secured the microservices that run on the platform, including:
identifying vulnerabilities prior to live deployments
increasing buy-in from teams for service security
leaning on an opinionated tech stack to boost our security position
using a service catalogue and async chat comms to power security collaboration
We will also provide some recommendations on what you can do to get started with your own AppSec programme.