Industry views
21 May 2026

How defence secures modern software supply chains with D2S

Guest blog by Ministry of Defence #techUKSupplyChainSecurityWeek

Modern software development introduces complex supply chains which are difficult to manage, monitor, assure and guarantee are free of cyber threats.

For Defence, the challenge is how to enable rapid delivery without losing control of security and assurance. Defence Developer Services (D2S) is the authorised solution that addresses this directly.

What is D2S

Defence Developer Services (D2S) provides end-to-end application development services across the MOD.

This includes modern containerisation platforms, backed by an integrated tooling suite within a Continuous Integration / Continuous Deployment (CI/CD) environment,

allowing Development, Security and Operations (DevSecOps) teams to build

applications across platforms. These components represent the current service and will continue to evolve and expand.

D2S’ vision is to provide a service that enables users across Defence to rapidly and securely develop and deploy applications for a range of use cases, including military operations.

Through innovative solutions and cyber security governance, risk and compliance processes, D2S facilitates a through-life “code to commit in 24 hours” service.

D2S operates within MOD infrastructure, including cloud-hosted environments, and continues to develop capabilities that support emerging technologies, including

artificial intelligence, as part of the application development lifecycle.

A unified model for supply chain security

D2S is an established multi-disciplinary team currently consisting of MOD, Digital Allies, Red Hat and Defence SMEs, working under a single mission goal.

Under an innovative assurance framework, Continuous Authority to Operate (CAtO), application teams engage with a pipeline of security tooling that provides in-depth security checks to validate and assure the entire application development supply chain.

This automation and validation process has been accessible in D2S since 2023 and continues to be the only programme to operate under CAtO in Defence.

Applications being developed in D2S benefit from a rapid but secure route to security

assurance owing to automated security validation steps, fulfilling the rapid deployment vision of the service.

Securing the platform and runtime

D2S platform services are entirely hosted within MOD infrastructure and sit within containerised hosting environments.

Specifically, D2S currently resides within Red Hat OpenShift Container Platform (OCP), where each application team resides in its own Kubernetes container across development and production environments.

Using Kubernetes offers a layer of security and operational assurance to each

application team. Containerised applications are virtually segmented from other teams hosted on the same platform. Negative effects such as technical failure or cyber security incidents within one container cannot affect another, limiting the blast radius.

OCP allows application teams control of networking, services such as databases, storage and image repositories, secrets management and access to a library of

operators, all within defined security and operational parameters of the overall service.

All environments are subject to 24/7 security monitoring by a MOD-provided Security Operations Centre (SOC).

Controlling code, access and secrets

Teams commit code to a dedicated, access-controlled instance of GitHub, managing both public and private repositories.

D2S CI/CD services pull code into development environments where users test integration with D2S services and runtime.

Development environments are protected through MOD infrastructure and OCP to prevent internet access, except where services are benign and subject to testing.

D2S provides a secrets vault allowing managed, programmatic access to securely

stored secrets such as API keys or credentials. Applications call secrets from the vault, which are rotated frequently as required.

Embedded, non-bypassable security validation

Code is regularly scanned by a pipeline of security tooling providing compliance and defence-in-depth assurance.

These steps are mandated within the CI/CD pipeline and cannot be circumvented. Applications undergo:

  • Static Application Security Testing (SAST) to identify vulnerabilities prior to deployment
  • Dynamic Application Security Testing (DAST), using automated attacks in a simulated runtime environment to identify vulnerabilities
  • Image scanning to provide visibility of vulnerabilities (CVEs) and software composition
  • Software Bill of Materials (SBOM) generation in user-friendly or JSON format
  • Supply chain analysis across all components, whether integrated or inherited
  • Dependency tracking to identify risks and unused components
  • Secret scanning, verified by D2S Security Teams prior to deployment

Teams also undertake risk analysis and security validation, including alignment to NIST 800-53 controls, which is verified.

Managing supply chain complexity

The use of open-source code is essential in the rapid development of applications. It enables efficient build, rapid solutions, prevention of repetition and modular design patterns.

However, this introduces risk through extensive supply chains which are difficult to manage, monitor, assure and guarantee are free of cyber threats.

D2S mitigates this through extensive tooling, monitoring, established processes and continuous risk management. Security policies and processes alert application and security teams to newly identified vulnerabilities over time, with validation checks in place to ensure remedy.

Assured path to production

Applications follow a defined Path to Production process.

D2S and application teams mutually agree any residual risk associated with deployment, alongside its management and application support plans. Upon agreement, applications can deploy.

Containers in the development environment are cryptographically signed with a digital signature. These are deployed into production, where the signature is verified before execution, ensuring the container is as intended and free from interference.

Continuous assurance at scale

D2S provides an end-to-end DevSecOps service using security tooling to ensure integrity and safety in the software development lifecycle for Defence users.

Through Continuous Authority to Operate, assurance is continuously maintained and reported live, with data available for MOD scrutiny.

As assurance runs continuously, it is not subject to expiry. Services remain authorised provided standards are maintained.

Collectively, these capabilities assure the background supply chain and provide certainty of service continuation to the foreground supply chain.

Looking ahead

As software development continues to evolve, the complexity of application supply chains will continue to increase.

D2S provides a model for securing this environment, combining platform, tooling and continuous assurance to enable rapid and secure application delivery.

Working with industry

D2S is not a closed environment. It is designed to work with industry.

By standardising how applications are built, tested and assured, D2S creates a common model that can be applied across both MOD and industry-delivered software.

For industry, this creates clearer expectations and a more predictable environment to develop and integrate software. It reduces duplication in assurance activity and

provides a more direct route to deploying secure applications into Defence environments.

This supports alignment to Defence security requirements from the outset.

techUK Supply Chain Security Campaign Week 2026

Explore the technologies, policies and partnerships shaping the future of secure and resilient supply chains across the UK. From third-party cyber risk to defence, AI and operational resilience, Supply Chain Security Campaign Week brings together expert insight on the challenges organisations are facing and how industry is responding. Follow the week to stay informed and connected to the evolving threat landscape.

Explore campaign

 

Securing the chain: innovation, accountability and resilience in supply chain security webinar

Explore how organisations are strengthening supply chain security through innovation, accountability and resilience. Gain insight into emerging technologies, regulatory approaches and practical strategies for managing cyber risk across complex supply chains. Join the webinar to understand how industry and government are responding to an evolving threat landscape.

Book now

 

Cyber Resilience Programme activities

techUK brings together key players across the cyber security sector to promote leading-edge UK capabilities, build networks and grow the sector. techUK members have the opportunity to network, share ideas and collaborate, enabling the industry as a whole to address common challenges and opportunities together. Visit the programme page here.

 

Upcoming events

28 May 2026

Government’s Cyber Resilience Pledge: techUK member briefing

Online Industry Briefing
4 June 2026

Understanding the challenges and solutions of third-party risks to supply chain security and resilience

London Roundtable
29 June 2026

Strengthening the OT workforce: techUK roundtable

London and online Roundtable

Latest news and insights 

Learn more and get involved

 

Cyber Resilience updates

Sign-up to get the latest updates and opportunities from our Cyber Resilience programme.

 

 

Here are the five reasons to join the Cyber Resilience programme

Download

Join techUK groups

techUK members can get involved in our work by joining our groups, and stay up to date with the latest meetings and opportunities in the programme.

Learn more

 

Become a techUK member

Our members develop strong networks, build meaningful partnerships and grow their businesses as we all work together to create a thriving environment where industry, government and stakeholders come together to realise the positive outcomes tech can deliver.

Learn more

Email _ Book now _ Annual Dinner 2026 (1).png

 

 Meet the team 

Jill Broom

Jill Broom

Head of Cyber Resilience, techUK

Jill leads the techUK Cyber Resilience programme, having originally joined techUK in October 2020 as a Programme Manager for the Cyber and Central Government programmes. She is responsible for managing techUK's work across the cyber security ecosystem, bringing industry together with key stakeholders across the public and private sectors. Jill also provides the industry secretariat for the Cyber Growth Partnership, the industry and government conduit for supporting the growth of the sector. A key focus of her work is to strengthen the public–private partnership across cyber to support further development of UK cyber security and resilience policy.

Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.

Email:
[email protected]
Website:
www.techuk.org/
LinkedIn:
https://www.linkedin.com/in/jill-broom-19aa824

Read lessmore

Annie Collings

Annie Collings

Senior Programme Manager, Cyber Resilience, techUK

Annie is the Programme Manager for Cyber Resilience at techUK. She first joined as the Programme Manager for Cyber Security and Central Government in September 2023. 

In her role, Annie supports the Cyber Security SME Forum, engaging regularly with key government and industry stakeholders to advance the growth and development of SMEs in the cyber sector. Annie also coordinates events, engages with policy makers and represents techUK at a number of cyber security events.

Before joining techUK, Annie was an Account Manager at a specialist healthcare agency, where she provided public affairs support to a wide range of medical technology clients. She also gained experience as an intern in both an MP’s constituency office and with the Association of Independent Professionals and the Self-Employed. Annie holds a degree in International Relations from Nottingham Trent University.

Email:
[email protected]
Twitter:
anniecollings24
LinkedIn:
https://www.linkedin.com/in/annie-collings-270150158/

Read lessmore

Olivia Staples

Olivia Staples

Junior Programme Manager - Cyber Resilience, techUK

Olivia Staples joined techUK in May 2025 as a Junior Programme Manager in the Cyber Resilience team.

She supports the programs mission to promote cyber resilience by engaging key commercial and government stakeholders to shape the cyber resilience policy towards increased security and industry growth. Olivia assists in member engagement, event facilitation and communications support.

Before joining techUK, Olivia gained experience in research, advocacy, and strategic communications across several international organisations. At the Munich Security Conference, she supported stakeholder engagement and contributed to strategic communications. She also worked closely with local and national government stakeholders in Spain and Italy, where she was involved in policy monitoring and advocacy for both public and private sector clients.

Olivia holds an MSc in Political Science (Comparative Politics and Conflict Studies) from the London School of Economics (LSE) and a BA in Spanish and Latin American Studies from University College London (UCL).

Outside of tech, Olivia enjoys volunteering with local charities and learning Norwegian.

Email:
[email protected]

Read lessmore

 

 

 

 

Return to listing