The U.K. government has introduced a voluntary Software Security Code of Practice to enhance the security and resilience of software used by organizations and businesses. It aims to help software vendors and their customers reduce the likelihood and impact of supply chain attacks and other resilience-related incidents, which often stem from avoidable weaknesses in software development and maintenance. Poor communication between organizations and software suppliers can further worsen these issues.
Developed through extensive consultation with the National Cyber Security Centre (NCSC), industry, and academia, and refined through public feedback gathered between May and August 2024, the Code outlines 14 principles for vendors under four themes. These principles set a consistent baseline for software security and resilience across the market.
The principles that form the Code of Practice are relevant to any type of software supplied to business customers. Divided into four themes, the government has identified these principles as fundamental and achievable measures that should be reasonably expected from organizations of any size, type, or sector. If carried out, these principles would represent a robust approach to software security and resilience, helping to secure the foundations of the digital technologies and services that connect digital supply chains.
The Software Security Code of Practice should be viewed within the broader context of cybersecurity guidance from the Department for Science, Innovation and Technology, and read alongside other relevant codes of practice. Organizations must also follow additional measures, particularly the Cyber Governance Code of Practice, which sets the baseline expectations for organizations using digital technologies.
Additionally, the voluntary Code of Practice is designed to be complementary to relevant international approaches and existing standards in this space to limit the compliance burden for organizations operating across borders. Where possible, the Code reflects internationally recognised best practices, which include those outlined in the US Secure Software Development Framework (SSDF) and the EU’s Cyber Resilience Act, as well as existing guidance and formal standards in the space.
The U.K. government is providing a self-assessment form to accompany this code of practice, which can be used for internal compliance monitoring or can be shared with customers to provide software security assurance. The assurance approach for this Code of Practice has been developed to follow the NCSC’s Principles Based Assurance approach. This breaks the Code of Practice down into a set of Assurance Principles and Claims (APCs).
Using the Code of Practice as the core principles, the APCs derive a set of ideal-scenario claims that, if met, mean the software vendor is achieving the principles of the Software Security Code of Practice. The kind of evidence provided may vary depending on the specific processes used by each organization, which provides flexibility in how organizations can demonstrate compliance using the form provided.
Moreover, the UK government is currently working to develop a certification scheme based on this compliance process. Further information about this certification process will be shared in due course.
The Software Security Code of Practice identifies that a Senior Responsible Owner should be appointed at the senior leadership level to ensure accountability for implementing these principles within their organization.
Under the theme of Secure Design and Development, the principles are intended to ensure that software is appropriately secure at the point of delivery. The Senior Responsible Owner in vendor organizations is responsible for gaining assurance that their organization adheres to the following practices concerning any software or software services they offer.
Organizations should follow an established secure development framework to guide their software development processes. They must understand the composition of their software and assess risks associated with the use and maintenance of third-party components throughout the development lifecycle. A clear process must be in place to test software and any updates before they are distributed. Additionally, organizations should embed secure-by-design and secure-by-default principles throughout the entire software development lifecycle.
Under the Build Environment Security theme of the Software Security Code of Practice, the principles focus on taking appropriate steps to minimise the risk of build environments being compromised and to safeguard the integrity and quality of the software.
The Senior Responsible Owner in vendor organizations must ensure that their organization takes necessary measures concerning any software or software services it provides. This includes protecting the build environment against unauthorized access and ensuring that all changes to the build environment are properly controlled and logged.
Under the Secure Deployment and Maintenance theme of the Software Security Code of Practice, these principles aim to ensure that software remains secure throughout its lifecycle, reducing the likelihood and impact of vulnerabilities.
The Senior Responsible Owner in vendor organizations must ensure that their organization upholds the following practices regarding any software or software services it provides. Software must be distributed securely to customers. An effective vulnerability disclosure process should be implemented and publicly available.
Organizations must have clear processes and documentation in place for proactively detecting, prioritizing, and managing vulnerabilities in software components. Where appropriate, vulnerabilities should be reported to relevant parties. Finally, organizations must provide timely security updates, patches, and notifications to customers.
Under the Communication with Customers theme of the Software Security Code of Practice, these principles are designed to ensure that vendor organizations provide customers with sufficient information to support effective risk and incident management.
The Senior Responsible Owner in vendor organizations must ensure that their organization fulfils the following responsibilities covering any software or software services it provides. Customers should be clearly informed about the level of support and maintenance offered for the software being sold. Vendors must also provide customers with at least one year’s notice before ending support or maintenance for any software. Additionally, organizations should make relevant information available about notable incidents that could significantly impact their customers.
The document identified that senior leaders are responsible for ensuring their organization meets the requirements of the Software Security Code of Practice, including equipping teams with the necessary skills and resources through formal education, training, and exposure to secure development standards. Building software security expertise is key to fostering a culture that prioritises security.
To support this, government initiatives are strengthening the cybersecurity talent pipeline. The U.K. Cyber Security Council sets professional standards to guide career development in the field. The NCSC’s certified degree programme recognises university courses with strong cybersecurity content, helping employers identify qualified candidates and supporting workforce development.
This year, the NCSC will launch an updated undergraduate certification standard to emphasise Software Security and Secure Software Lifecycle (SSL) knowledge, aiming to better prepare graduates to meet the demands of the Code.
