The proposed Code of Practice for software vendors

The UK government is taking concrete steps to bolster the security and resilience of software used by UK businesses through the planned publication of a new Code of Practice for Software Vendors. Whilst compliance will be voluntary, the decision to introduce a new code signals a clear intention to raise the bar for software security across the board, by ensuring that those who develop, distribute, and sell software (including software services, or products or services containing software) to B2B customers integrate best practices for software security and resilience throughout their organisations and supply chains.

In May 2024, in collaboration with the National Cyber Security Centre (NCSC), the Department for Science, Innovation and Technology (DSIT) published the draft Code of Practice for Software Vendors as part of a call for views to inform government policy on software security. The draft contains 21 provisions, underpinned by four core principles, providing recommendations on how software should be designed and developed, on build environment security, on secure deployment and maintenance, and on effective customer communication. Development of the Code of Practice is intended to improve levels of security and resilience and to provide a supply chain management tool for businesses.

Fast forward to March this year and the government has now published its response to the call for views. Almost 90 respondents, including organisations primarily involved in software development, sales, procurement, and cybersecurity, provided submissions on the proposed framework. The key takeaways from the response are:

• there is strong support for the creation of a Code of Practice, and overall support for the provisions and principles set out in the draft Code
• there is a demand for more than just high-level principles: detailed technical controls, implementation guidance, and real-world case studies have been requested by respondents
• in order to streamline implementation and facilitate compliance, respondents expressed an interest in aligning the Code with existing industry standards, regulations, and guidance, and 
• a clear majority of respondents called for an assurance or certification scheme to provide independent verification of compliance with the Code.

The government, having considered the responses received, has outlined its planned next steps as follows: 

• a final updated version of the Code, complete with a glossary of key terms, will be published later this year. It will be accompanied by updated technical controls and implementation guidance;
• an attestation method and assurance regime, grounded in the NCSC's Principles Based Assurance will be established to enable vendors to demonstrate adherence to the Code;
• it will continue with its efforts to map the Code against existing standards and regulations; and
• recognising that businesses, particularly SMEs, need support in navigating software security, it plans to explore developing additional guidance on incorporating security considerations into procurement and supplier management processes.

Open-source software: a parallel focus

Acknowledging the importance of open-source software (OSS) in the digital landscape, the government has also released a report outlining best practices and risk management strategies for businesses using OSS – Open source software best practice and supply chain risk management – alongside its response to the call for views on the Code. The report provides further recommendations to assist organisations in mitigating the risks associated with OSS in the supply chain. These recommendations include:

• establishing clear internal policies for OSS adoption;
• creating a software bill of materials – a list of OSS components used in software products – to track OSS components and their dependencies within the supply chain;
• implementing continuous monitoring of the software supply chain for vulnerabilities, licensing issues and new versions of OSS components, whilst encouraging appropriate tooling to be used to automate the process of OSS management; and 
• fostering active engagement with the OSS community to attract new talent, and level the playing field for smaller organisations (who do not have the resources to complete with larger organisations in developing software in-house) and to drive innovation, ensuring high quality OSS components and a sustainable OSS ecosystem.

The current direction of travel

The Code, and the report on OSS best practice and supply chain risk management, form part of a wider cybersecurity programme being pursued by the UK government to foster growth and innovation through the safe use of new and existing technologies. This includes the Cyber Security and Resilience Bill announced as part of the July 2024 King’s Speech (due to be introduced to Parliament in 2025) which seeks to expand the remit of regulation to protect more digital services and supply chains whilst providing resources and powers to regulators to proactively investigate potential vulnerabilities. 

While the Code currently relies on voluntary participation, it seems likely that customers will expect their software vendors to comply with the Code and the recommendations of the OSS best practice report. In addition, the UK government may consider implementing mandatory measures in the future, if necessary, given the government's stated commitment to fostering a secure and trustworthy digital environment for investment and innovation, which includes safeguarding the nation's critical services and digital infrastructure.

With that in mind, customers and software vendors should consider taking the following steps with respect to their business and operations:

If you would like to more information about any of the matters raised in the above article, please contact Paul O’Hare  or Elizabeth Lumb.