Linkedin Rss
Subscribe
Linkedin Rss

Government launches voluntary software security code of practice

Share On LinkedIn
Share on X

The UK government has introduced a voluntary Software Security Code of Practice aimed at bolstering the security and resilience of software used by organisations and businesses across the nation. The initiative seeks to help software vendors and their customers mitigate the risk and impact of supply chain attacks and other resilience-related incidents, which often originate from preventable weaknesses in how software is developed and maintained. The government also noted that poor communication between organisations and their software suppliers can exacerbate these issues.

Developed through extensive consultation with the National Cyber Security Centre (NCSC), industry experts, and academics, and refined following public feedback gathered between May and August 2024, the Code outlines 14 principles for vendors, organised under four key themes. These principles are intended to establish a consistent baseline for software security and resilience throughout the market.

These principles are applicable to all types of software supplied to business customers. The government has identified them as fundamental and achievable measures that should be reasonably expected from organisations regardless of their size, type, or sector. Adherence to these principles would constitute a robust approach to software security and resilience, helping to secure the foundations of the digital technologies and services that underpin digital supply chains.

The Software Security Code of Practice should be considered within the broader context of cybersecurity guidance provided by the Department for Science, Innovation and Technology, and should be read in conjunction with other relevant codes of practice, notably the Cyber Governance Code of Practice, which sets baseline expectations for organisations using digital technologies.

This voluntary Code of Practice is designed to complement relevant international approaches and existing standards in this area, aiming to minimise the compliance burden for organisations operating internationally. Where feasible, the Code reflects internationally recognised best practices, including those outlined in the US Secure Software Development Framework (SSDF) and the EU’s Cyber Resilience Act, as well as existing guidance and formal standards.

The UK government is providing a self-assessment form to accompany the code, which can be used for internal compliance monitoring or shared with customers to provide assurance regarding software security. The assurance approach for this Code of Practice has been developed based on the NCSC’s Principles Based Assurance approach, breaking down the Code into a set of Assurance Principles and Claims (APCs).

Using the Code of Practice as its foundation, the APCs derive a set of ideal-scenario claims that, if met, indicate that the software vendor is adhering to the principles of the Software Security Code of Practice. The type of evidence provided may vary depending on the specific processes used by each organisation, offering flexibility in how compliance can be demonstrated using the provided form.

Looking ahead, the UK government is currently working on developing a certification scheme based on this compliance process, with further details to be shared in due course. The Software Security Code of Practice emphasises the importance of appointing a Senior Responsible Owner at a senior leadership level to ensure accountability for the implementation of these principles within their organisation.

The document highlights that senior leaders are responsible for ensuring their organisations meet the requirements of the Software Security Code of Practice, including equipping teams with the necessary skills and resources through training and exposure to secure development standards.

To support this, government initiatives are strengthening the cybersecurity talent pipeline. The UK Cyber Security Council sets professional standards, and the NCSC’s certified degree programme recognises relevant university courses. This year, the NCSC will launch an updated undergraduate certification standard to emphasise Software Security and Secure Software Lifecycle (SSL) knowledge, aiming to better prepare graduates for the demands of the Code.

Image source: Pixabay

STORY OF THE WEEK

First-ever non-Japanese semiconductor chip facility opens at Southampton University

Technology PR, search and social agency

Trending Now

First-ever non-Japanese semiconductor chip facility opens at Southampton University

Oxford Researchers achieve quantum teleportation breakthrough in scalable supercomputer

Reading’s The Blade welcomes digital forensics firm MSAB, serving as central UK hub

London special needs school wins £25,000 tech boost to enhance classroom inclusion

Government launches voluntary software security code of practice

UK firms forecast 31% cybersecurity budget growth, double global rate

You may also like

First-ever non-Japanese semiconductor chip facility opens at Southampton University

Oxford Researchers achieve quantum teleportation breakthrough in scalable supercomputer

Reading’s The Blade welcomes digital forensics firm MSAB, serving as central UK hub

London special needs school wins £25,000 tech boost to enhance classroom inclusion

UK firms forecast 31% cybersecurity budget growth, double global rate

AI workforce platform ProFinda lands £3M funding boost

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay right up-to-date with TechSparx. Read Midlands regional business technology news aggregated and also written by us, all in one place on TechSparx. Curated and brought to you by TechSparx.

About

© Copyright 2025 TechSparx. All Rights Reserved.
Linkedin Rss