This article provides an update to our previous alert “UK government sets sights on secure software: new Code of Practice on the horizon” and discusses the final form Software Security Code of Practice recently published by the UK government. The Code aims to help software vendors and their customers minimise the risks and potential consequences of software supply chain attacks (and other software resilience-related incidents). While voluntary, it sets out the baseline security and resilience standards reasonably expected of any organisation developing or selling software to businesses or other organisations. This covers providers of standalone software and software services, as well as organisations whose products or services incorporate software components. However, the Code is of particular relevance to business-to-business sales and distribution of proprietary software.
Key changes from the previous draft code
Following a call for views on a draft version of the Code in 2024 (A Code of Practice for Software Vendors: call for views), the final version, developed by the Department for Science, Innovation and Technology (DSIT) in collaboration with the National Cyber Security Centre (NCSC), has been streamlined and refined. The initial draft contained 21 provisions; the updated version contains 14 key high-level principles, albeit addressing the same four fundamental themes as set out in the draft:
Secure design and development
Vendors must ensure software security by:
- adhering to a secure development framework;
- understanding software composition and assessing risks related to third-party components;
- testing software and updates before distribution; and
- applying "secure by design" and "secure by default" principles.
Build environment security
Vendors must protect the build environment by preventing unauthorised access and controlling and logging changes to it.
Secure deployment and maintenance
Vendors must maintain ongoing software security by:
- securely distributing software to customers;
- implementing and publishing an effective vulnerability disclosure processes;
- establishing processes and documentation for proactively detecting, prioritising, and managing vulnerabilities in software components;
- reporting vulnerabilities to relevant parties (where appropriate); and
- providing timely security updates, patches and notifications to customers.
Communication with customers
Vendors must communicate effectively with customers by providing them with information specifying support and maintenance levels for the software, providing at least one year's notice of end-of-support, and sharing information about incidents that may significantly impact them.
The simplification of the Code represents a conscious effort by the government to remove potential barriers to adoption. The intention is that in-scope organisations, regardless of size, should be enabled to successfully implement its recommendations. Besides reducing the number of provisions and rewording them for clarity and conciseness, the revised Code also emphasises:
Outcomes rather than detailed requirements
The final Code prioritises outcomes over prescriptive actions, giving vendors more flexibility in implementation.
Vendor accountability
There is greater emphasis on vulnerability disclosure, security updates, and customer communication.
Technology-neutral approach
As with the draft, the final Code avoids mentioning specific technologies to ensure that is has both the greatest adaptability and the broadest applicability.
Next steps
The UK government has committed to supporting the Code’s implementation through:
Implementation guidance
Implementation guidance has been published on the NCSC’s website. This is intended to support technical teams responsible for implementing the Code’s recommendations, and to help vendors demonstrate conformance. The guidance also signposts organisations to existing guidance and frameworks such as the NIST Secure Software Development Framework.
Assurance regime
The government has developed a Software Security Code of Practice Self-Assessment Template aligned with the NCSC's Principle Based Assurance Approach, for monitoring internal compliance and sharing with customers to provide software security assurance. A certification scheme based on this approach is also under development by the UK government.
Procurement guidance
Businesses and organisations procuring software are urged to use the Code to inform negotiations with suppliers and their contracts. DSIT also plans to develop additional software supplier management guidance to support customers to hold suppliers accountable.
Implications for stakeholders
- Both software vendors and buyers should familiarise themselves with the final Code and the accompanying guidance. Buyers should consider incorporating compliance into procurement processes and contracts, while vendors should begin taking concrete steps towards implementation now.
- The Code envisions organisations appointing a Senior Responsible Owner (SRO) at a senior level to be accountable for implementing the Code. The SRO is to ensure that all relevant teams and individuals have the required skills and resources to meet the Code's requirements. The Code lists several government schemes that, alongside industry training, can be accessed to help organisations provide appropriate skills training and development.
- The Code is meant to be read in conjunction with other cybersecurity guidance issued by the DSIT Cyber Security Codes of Practice including the Cyber Governance Code of Practice (published in April 2025 and which provides guidance to businesses on managing digital risks and protecting against cyber attacks, and which sets baseline expectations for all organisations using digital technologies).
- While not the primary audience, open-source software (OSS) developers and maintainers may find the Code useful. However, it should be noted that the DSIT has also published specific research (in March 2025) mapping and evaluating existing best practices for mitigating risks related to open-source software.
Finally, while adoption of the Software Security Code of Practice is not currently mandatory, it forms a key element of the UK Government’s national cyber resilience strategy (alongside proposed legislation like the Cyber Security and Resilience Bill), and appears intended to become a de facto industry standard, and, potentially, to inform future domestic legislation. Therefore, aligning with the Code would seem to be a sound move for software developers, suppliers and resellers. Doing so not only demonstrates a commitment to best practice and builds trust with customers but also prepares businesses for the evolving regulatory landscape and strengthens their competitive position in the market.
For more information, please contact Paul O’Hare or Elizabeth Lumb.