UK Software Cybersecurity Guide (2026)

🔐 Security⚖️ NCSC🔒 Cyber Essentials🏦 FCA🆓 Free Assessment
February 202612 min readJames Whitmore, CTO

Direct Answer

UK software security requirements are shaped by NCSC (National Cyber Security Centre) guidelines, Cyber Essentials (mandatory for UK government contracts), NHS DTAC Domain 3 (technical security for NHS software), and FCA operational resilience (PS21/3 security controls). ClickMasters holds Cyber Essentials Plus and ISO 27001 — and implements NCSC-aligned security on every UK software build.

UK Software Security — NCSC and OWASP Controls by Layer

Security Layer

NCSC / OWASP Control

UK Regulatory Driver

ClickMasters Implementation

Authentication

MFA mandatory (TOTP minimum), password policy (NIST 800-63B — no complexity rules, length minimum 12)

Cyber Essentials A2.3, NHS DTAC Domain 3

AWS Cognito MFA, react-hook-form password validation

Authorisation

Least privilege (RBAC/ABAC), no hardcoded credentials, secrets in AWS Secrets Manager

Cyber Essentials A3, ISO 27001 A.9

IAM roles per ECS task, Secrets Manager rotation

Transport security

TLS 1.2+ only (TLS 1.0/1.1 disabled), HSTS header, no mixed content

Cyber Essentials A5, NHS DTAC Domain 3

AWS ALB TLS policy, HSTS via CloudFront response headers

Input validation

OWASP A03 Injection — parameterised queries only, input sanitisation (DOMPurify), output encoding

NHS DTAC Domain 3, FCA PS21/3

Zod server-side validation, parameterised SQL, DOMPurify

Dependency security

CVE scanning (Trivy, Snyk), Dependabot PRs for critical CVEs within 14 days

Cyber Essentials A2 (14-day critical patch), ISO 27001 A.12.6

Dependabot + Trivy in CI/CD — blocks merge on critical CVE

Container security

Non-root container user, read-only root filesystem, no privileged containers

Cyber Essentials Plus A2.2, NHS DTAC Domain 3

ECS task definition — user: 1000, readonlyRootFilesystem: true

API security

Rate limiting, WAF (OWASP ruleset), API key rotation, OpenAPI schema validation

FCA PS21/3 IBS availability, NHS DTAC Domain 3

AWS WAF OWASP managed ruleset, API Gateway usage plans

Logging and monitoring

Audit log (immutable CloudWatch), anomaly detection (GuardDuty), SIEM (Security Hub)

ISO 27001 A.12.4, FCA PS21/3, NHS DSP Toolkit Annex B

CloudTrail + CloudWatch + GuardDuty + Security Hub

UK OWASP Top 10 — Most Common Vulnerabilities in UK Software (2026)

OWASP RankVulnerabilityUK ExampleClickMasters Mitigation
A01Broken Access ControlNHS patient record accessible without correct NHS SDS roleRBAC middleware on every API endpoint — no implicit trust
A02Cryptographic FailuresFCA customer financial data stored in S3 without encryptionS3 SSE-KMS mandatory, RDS encryption enabled, TLS everywhere
A03InjectionSQL injection in property search (PostGIS query — unparameterised)Parameterised queries only — Prisma ORM or pg.query with $1 $2
A04Insecure DesignNo rate limiting on FCA login endpoint — credential stuffingAWS WAF rate limiting, Cognito advanced security
A05Security MisconfigurationS3 bucket public — customer data exposedAWS Config rule: s3-bucket-public-read-prohibited + SCPs
A06Vulnerable ComponentsNode.js 16 (EOL) in production — known CVEsDependabot + Trivy + ECR image scanning — EOL detection
A07Identification FailuresSession token not invalidated after password changeCognito token revocation + session invalidation on auth events
A09Security Logging FailuresNo audit trail for NHS admin user accessing patient recordsCloudTrail + CloudWatch Logs — every admin action logged

Cyber Essentials Annex A — Technical Requirements Summary

A1 Firewalls: AWS Security Groups (default deny, allow only required ports) + Network ACLs. No inbound internet access to private subnets (database, internal services). FCA note: Cyber Essentials firewall controls align with FCA PS21/3 network security requirements.

A2 Secure Configuration: no default credentials, MFA enabled, unused services disabled, AWS Systems Manager (no SSH — no exposed SSH ports). Critical CVE patch within 14 days (Dependabot + Trivy automated). Cyber Essentials Plus: evidenced by on-site assessment.

A3 User Access Control: MFA mandatory for all admin users, least privilege IAM roles, no shared accounts, Cognito User Pool for application users. Joiners/movers/leavers process (IAM access keys revoked within 24 hours of departure).

A4 Malware Protection: Amazon Inspector (container and EC2 vulnerability scanning), AWS GuardDuty (malware detection in S3, EC2 network traffic analysis), WAF (blocks malicious requests). Endpoint protection for developer laptops (mandatory as part of Cyber Essentials Plus assessment).

A5 Patch Management: Fargate/Lambda (AWS manages OS patching — zero obligation), application dependencies (Dependabot — 14-day critical CVE resolution SLA), and custom AMIs (AWS Systems Manager Patch Manager for any EC2 instances).

Cyber Essentials (and Cyber Essentials Plus) has 5 technical control categories. ClickMasters configures all 5 as standard:

Frequently Asked Questions

Common questions about uk software cybersecurity guide (2026).

Cyber Essentials Plus timeline: (1) self-assessment (Cyber Essentials basic — online questionnaire, 2–4 weeks preparation, ~£300–£600), (2) gap remediation (address any Annex A control gaps — ClickMasters typical gap: MFA on all admin accounts, patching process documentation), (3) Plus assessment (IASME-accredited assessor visits — tests technical controls against Annex A, 1 day on-site, ~£1,500–£3,000). Total: 4–8 weeks, £2,000–£4,000. ClickMasters Cyber Essentials Plus tip: the most common Plus failure is MFA not enabled on all administrator accounts — check every AWS IAM user, Microsoft 365 admin, and cloud console access before assessment.

Cyber Essentials Plus is a significant contribution to NHS DTAC Domain 2 (Data Protection and Information Governance) but does not satisfy it alone. DTAC Domain 2 additionally requires: (1) UK GDPR compliance documentation (Article 30 ROPA, DPIAs, DSARs), (2) ICO registration, (3) NHS-specific data sharing agreements (DSPT — Data Security and Protection Toolkit alignment), (4) clinical data governance (for NHS Article 9 health data — enhanced safeguards beyond Cyber Essentials). ClickMasters approach: achieve Cyber Essentials Plus first (it provides strong evidence for DTAC D2 technical security), then produce DTAC D2-specific documentation (ROPA, DPIA, ICO registration confirmation, NHS DSPT alignment statement).

About the Author

James Whitmore, CTO UK cybersecurity specialist — ClickMasters holds Cyber Essentials Plus and ISO 27001 We implement NCSC-aligned security on every UK software build. Security is not a sprint — it is built in from Sprint 1.

Free Security Assessment ClickMasters will assess...

Free Security Assessment ClickMasters will assess your application against NCSC guidelines and Cyber Essentials Annex A. → clickmasterssoftwaredevelopmentcompany.co.uk/contact/

Book a Free Consultation