UK Software Security — NCSC and OWASP Controls by Layer
Security Layer
NCSC / OWASP Control
UK Regulatory Driver
ClickMasters Implementation
Authentication
MFA mandatory (TOTP minimum), password policy (NIST 800-63B — no complexity rules, length minimum 12)
Cyber Essentials A2.3, NHS DTAC Domain 3
AWS Cognito MFA, react-hook-form password validation
Authorisation
Least privilege (RBAC/ABAC), no hardcoded credentials, secrets in AWS Secrets Manager
Cyber Essentials A3, ISO 27001 A.9
IAM roles per ECS task, Secrets Manager rotation
Transport security
TLS 1.2+ only (TLS 1.0/1.1 disabled), HSTS header, no mixed content
Cyber Essentials A5, NHS DTAC Domain 3
AWS ALB TLS policy, HSTS via CloudFront response headers
Input validation
OWASP A03 Injection — parameterised queries only, input sanitisation (DOMPurify), output encoding
NHS DTAC Domain 3, FCA PS21/3
Zod server-side validation, parameterised SQL, DOMPurify
Dependency security
CVE scanning (Trivy, Snyk), Dependabot PRs for critical CVEs within 14 days
Cyber Essentials A2 (14-day critical patch), ISO 27001 A.12.6
Dependabot + Trivy in CI/CD — blocks merge on critical CVE
Container security
Non-root container user, read-only root filesystem, no privileged containers
Cyber Essentials Plus A2.2, NHS DTAC Domain 3
ECS task definition — user: 1000, readonlyRootFilesystem: true
API security
Rate limiting, WAF (OWASP ruleset), API key rotation, OpenAPI schema validation
FCA PS21/3 IBS availability, NHS DTAC Domain 3
AWS WAF OWASP managed ruleset, API Gateway usage plans
Logging and monitoring
Audit log (immutable CloudWatch), anomaly detection (GuardDuty), SIEM (Security Hub)
ISO 27001 A.12.4, FCA PS21/3, NHS DSP Toolkit Annex B
CloudTrail + CloudWatch + GuardDuty + Security Hub
UK OWASP Top 10 — Most Common Vulnerabilities in UK Software (2026)
| OWASP Rank | Vulnerability | UK Example | ClickMasters Mitigation |
|---|---|---|---|
| A01 | Broken Access Control | NHS patient record accessible without correct NHS SDS role | RBAC middleware on every API endpoint — no implicit trust |
| A02 | Cryptographic Failures | FCA customer financial data stored in S3 without encryption | S3 SSE-KMS mandatory, RDS encryption enabled, TLS everywhere |
| A03 | Injection | SQL injection in property search (PostGIS query — unparameterised) | Parameterised queries only — Prisma ORM or pg.query with $1 $2 |
| A04 | Insecure Design | No rate limiting on FCA login endpoint — credential stuffing | AWS WAF rate limiting, Cognito advanced security |
| A05 | Security Misconfiguration | S3 bucket public — customer data exposed | AWS Config rule: s3-bucket-public-read-prohibited + SCPs |
| A06 | Vulnerable Components | Node.js 16 (EOL) in production — known CVEs | Dependabot + Trivy + ECR image scanning — EOL detection |
| A07 | Identification Failures | Session token not invalidated after password change | Cognito token revocation + session invalidation on auth events |
| A09 | Security Logging Failures | No audit trail for NHS admin user accessing patient records | CloudTrail + CloudWatch Logs — every admin action logged |
Cyber Essentials Annex A — Technical Requirements Summary
A1 Firewalls: AWS Security Groups (default deny, allow only required ports) + Network ACLs. No inbound internet access to private subnets (database, internal services). FCA note: Cyber Essentials firewall controls align with FCA PS21/3 network security requirements.
A2 Secure Configuration: no default credentials, MFA enabled, unused services disabled, AWS Systems Manager (no SSH — no exposed SSH ports). Critical CVE patch within 14 days (Dependabot + Trivy automated). Cyber Essentials Plus: evidenced by on-site assessment.
A3 User Access Control: MFA mandatory for all admin users, least privilege IAM roles, no shared accounts, Cognito User Pool for application users. Joiners/movers/leavers process (IAM access keys revoked within 24 hours of departure).
A4 Malware Protection: Amazon Inspector (container and EC2 vulnerability scanning), AWS GuardDuty (malware detection in S3, EC2 network traffic analysis), WAF (blocks malicious requests). Endpoint protection for developer laptops (mandatory as part of Cyber Essentials Plus assessment).
A5 Patch Management: Fargate/Lambda (AWS manages OS patching — zero obligation), application dependencies (Dependabot — 14-day critical CVE resolution SLA), and custom AMIs (AWS Systems Manager Patch Manager for any EC2 instances).
Cyber Essentials (and Cyber Essentials Plus) has 5 technical control categories. ClickMasters configures all 5 as standard: