Securing digital services at HMRC Digital

At HMRC Digital, there are about 1100 production microservices, built by about 100 teams consisting of about 1000 engineers. All managed through about 4000 repositories and the number is growing. The platform itself hosts a variety of services, from the annual hockey stick of self assessment which has an interesting peak on the 31st January, to the Covid services (Self Employed Income Support or the Job Retention Scheme) to any variety of frontend services. These services are hosted in the Multichannel Digital Tax Platform (MDTP). MDTP is an opinionated platform, which means it follows the ideas of the "paved road" where the platform provides guidance and patterns on how to solve technical problems, always attempting to strike a fine balance between pragmatism and innovation. The platform is built and maintained by 8 platform teams which support the tenant/service teams.

This session peels back the covers on what it is like to secure HMRC’s digital tax platform, which is built on AWS and comprises 1000+ microservices built by 100 teams with ~1500 deployments a month. Security incidents such as Log4Shell and news reports of data leaks are always a risk to digital services, and at HMRC Digital we’re in a position to react quickly and confidently to incidents as they occur.

Participants will be able to:

• identify vulnerabilities prior to live deployments
• increase buy-in from teams for service security
• Lean on an opinionated tech stack to boost our security position
• use a service catalogue and async chat comms to power security collaboration

Themes: Security, AppSec at Scale, Opinionated Tech, Digital Platform, Discoverability, DevSecOps