Gerald will be presenting the following session
filter_list
  • Ben Conrad
    keyboard_arrow_down

    Ben Conrad / Gerald Benischke - Securing digital services at HMRC Digital

    45 Mins
    Case Study
    Intermediate

    HM Revenue & Customs is the tax collection authority for the United Kingdom government. The department is responsible for the collection of revenue (taxes and duties) from all UK taxpayers, be they citizens or businesses. We work together with the Government Digital Service (GDS) and other departments to ensure the services we provide are built to common strong standards.


    This session peels back the covers on what it is like to secure HMRC’s digital tax platform, which is built on AWS and comprises 1000+ microservices built by 100 teams with ~1500 deployments a month.  Security incidents such as Log4Shell and news reports of data leaks are always a risk to digital services, and at HMRC Digital we’re in a position to react quickly and confidently to incidents as they occur.

     

    We’ll share some insights into how we’ve secured the microservices that run on the platform, including:

     

    • identifying vulnerabilities prior to live deployments
    • increasing buy-in from teams for service security 
    • leaning on an opinionated tech stack to boost our security position
    • using a service catalogue and async chat comms to power security collaboration

    We will also provide some recommendations on what you can do to get started with your own AppSec programme.

1. What got you started/interested in modern software development methods?
2. What do you think is the biggest challenge faced by the software product engineering community today?
3. What do you think are the most exciting developments in software product engineering today?
4. Why did you choose the topic(s) you will be speaking about at the conference?

Over the last 5 years I have got more and more interested in AppSec. I think it is a security specialism that I think often gets overlooked.  While infrastructure focusses on firewalls and authentication, there are often a plethora of security vulnerabilities hiding in software - especially if it is not maintained.  Furthermore, applications can also open up some interesting attack vectors.

Against that background it was really great to be given the opportunity to lead the AppSec programme at HMRC and I was keen to share!

5. What are some of the key takeaways from your session(s) at Agile India?
  • Security is about collaboration
  • AppSec is hard.
  • Having an opinionated tech stack/paved road/golden path provides the opportunity to create a centralised AppSec team that can enable stream-aligned teams to build better security
  • Spreadsheets are a really useful tool for security
  • Be wary of CVSS scores
6. Which sessions are you particularly looking forward to attending at Agile India this year?

I'm a conference newbie, so anything will be interesting.

7. Any personal remarks/message you want to share with the software community?

I sometimes blog on: https://beny23.github.io/ - and I am looking forward to the conference!

help