A code of practice which outlines the fundamental security and resilience measures that should be reasonably expected of all organisations that develop and/or sell software to organisational customers is being developed.

After a government response to the Call for Views on Software Resilience and Security for Businesses and Organisations was opened for responses in January 2024, seeks to ensure security and resilience are embedded into the development and distribution of products and services.

Now 15 months on, the code is being drafted and is expected to be published this year. It is set to comprise of a set of voluntary measures that software vendors would be expected to implement to establish a consistent baseline of security and resilience across the market, raising the bar across our digital supply chains.

Consistent Level

Aiming to ensure “a more consistent level of best practice adoption for security and resilience in software development, distribution, and maintenance”, the statement said that the proposed code of practice would be a useful tool to help enhance software security practices and better secure digital supply chains across the UK and the digital economy.

Next steps for the NCSC and Department for Science, Innovation and Technology (DSIT) include:

Publishing the code in 2025. After minor edits, the revised version will reflect feedback on both the content and wording of the code, on achievability for small organisations, and clarity. The government will also provide a glossary of key terms to aid understanding of the final code of practice.

NCSC and DSIT will further refine the technical controls and implementation guidance to publish alongside the code of practice. To meet the need for more detail, further content and specific claims will be added to the examples provided in the call for views to better support organisations. Particular attention will be paid to the provisions that respondents thought would be more challenging for smaller organisations.

NCSC and DSIT will develop an attestation method and assurance regime to allow software vendors to demonstrate compliance with the code. This will be based on the technical controls using the NCSC’s Principles Based Assurance Approach. The tool is intended as a market incentive for both software vendors and their customers, to facilitate accountability, market differentiation and supplier assessment methods.

Government will continue to map the code of practice against other standards, regulation and guidance. This mapping will allow DSIT and the NCSC to explore the potential for demonstrating equivalence between existing standards or frameworks and aspects of the code of practice. 

The code of practice has been designed specifically to be compatible the NCSC’s Principles-Based Assurance Approach.

Increasingly Interconnected

Feryal Clark MP, Parliamentary Under-Secretary of State for AI and Digital Government, said as modern businesses are increasingly interconnected and reliant on new and existing technologies, it is important they understand the risks these technologies pose, not only to their own organisations, but also to their customers and wider supply chains. 

She said: “Software here plays a crucial role. It is the foundation of digital technology. It is in all digital devices and services which organisations across all sectors rely on for innovation and growth. However, software is now so widespread in business operations and processes that its fundamental role is often taken for granted.

“When software is compromised or malfunctions, it can halt organisational operations entirely, and this reliance makes software a prime target for malicious actors.” 

Saying it is “within our power to limit the likelihood of avoidable weaknesses and vulnerabilities which are being exploited by malicious actors or causing disruption through software failure,” Clark said the proposed code of practice, seeks to ensure security and resilience are embedded into the development and distribution of products and services.

“The code comprises a set of voluntary measures that software vendors would be expected to implement to establish a consistent baseline of security and resilience across the market, raising the bar across our digital supply chains.”  

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.