Ben will be presenting the following session
  • Ben Conrad

    Ben Conrad / Gerald Benischke - Securing digital services at HMRC Digital

    45 Mins
    Case Study

    HM Revenue & Customs is the tax collection authority for the United Kingdom government. The department is responsible for the collection of revenue (taxes and duties) from all UK taxpayers, be they citizens or businesses. We work together with the Government Digital Service (GDS) and other departments to ensure the services we provide are built to common strong standards.

    This session peels back the covers on what it is like to secure HMRC’s digital tax platform, which is built on AWS and comprises 1000+ microservices built by 100 teams with ~1500 deployments a month.  Security incidents such as Log4Shell and news reports of data leaks are always a risk to digital services, and at HMRC Digital we’re in a position to react quickly and confidently to incidents as they occur.


    We’ll share some insights into how we’ve secured the microservices that run on the platform, including:


    • identifying vulnerabilities prior to live deployments
    • increasing buy-in from teams for service security 
    • leaning on an opinionated tech stack to boost our security position
    • using a service catalogue and async chat comms to power security collaboration

    We will also provide some recommendations on what you can do to get started with your own AppSec programme.

1. What got you started/interested in modern software development methods?

I'm afraid to say I rather fell into it. Or rather I joined a part of the UK Civil Service which champions modern software development methods. The reason that the Digital sections of Government Departments were created was (to my mind) twofold. One was as a reaction to some terrible IT projects that had plagued Government IT for years. Second was a desire to be far more focused on User Needs and to ensure that the user was put foremost in any new development.

2. What do you think is the biggest challenge faced by the software product engineering community today?

The challenge of ensuring that the development practices we want to see and know deliver far better outcomes are done in a way that is not only secure, but trusted to be secure. Security needs to an ally in development and not the blocker that it can all to easily become.

3. What do you think are the most exciting developments in software product engineering today?

I don't work at the bleeding edge by any means, but I'm hopeful that (if it can stop being labelled as Artificial Intelligence which it is not) the developments in natural language models will open up technology to people who would never think of themselves as digital natives. In the broadest sense I would apply this to things like Github co-pilot, but at a simpler level as voice based assistants expand and improve, the idea of getting Alexa to communicate with an API to file a tax return should be possible.

4. Why did you choose the topic(s) you will be speaking about at the conference?

We've been focusing on Security of our Platform for some time, but only recently have we realised the power we have to look for vulnerabilities and improve the security not just of the platform but every service we host. It seemed like a natural topic for a talk because we think we've discovered some interesting things on our journey.

5. What are some of the key takeaways from your session(s) at Agile India?
  • Security can't be done effectively by ranking CVS scores.
  • Consistency is a security advantage if you leverage it.
  • Knowledge is power. Obviously.
6. Which sessions are you particularly looking forward to attending at Agile India this year?

Sorry - I know it's starts tomorrow, but I've not really looked yet. The day job is likely to keep me quite busy for parts of it - the only real downside to being a virtual attendee, I haven't cleared my calendar.

7. Any personal remarks/message you want to share with the software community?

I fear this talk could be quite niche and people might take the view that it's only worth listening to if you running a huge platform and dealing with vast numbers of sensitive transactions. I hope that is not the case and that we're able to show that there are general principles that would be useful to consider whatever the scale of your project.