The UK government has published a new voluntary code entitled: Software Security Code of Practice - GOV.UK. The Software Security Code of Practice (the Code) has been developed to improve the security and resilience of software that organisations rely on and is designed to support software vendors and their customers in reducing the likelihood and impact of software supply chain attacks and other software resilience incidents. Whilst the Code is voluntary, it provides opportunity for vendors to beef up security provisions and build trust with customers. It is intended that the Code be considered as part of the broader suite of cyber security guidance issued by the Department for Science, Innovation and Technology, and is designed to be complementary to relevant international approaches and existing standards in this space to limit the compliance burden for organisations operating across borders.
Who does the Code apply to?
The Code is applicable to the following organisations, particularly those involved in business-to-business commercial relationships:
- Software developers and distributors
- Software resellers
- Software developers only
- Open-source developers and maintainers
Customers may also use the Code to guide supplier negotiations to ensure providers are complying with the Code to deliver software that is secure and resilient.
The principles
The Code consists of 14 principles that software vendors are expected to implement to establish a consistent baseline of software security and mitigation of cyber risk. The Code divides these principles into four themes:
- secure design and development;
- build environment security;
- secure deployment and maintenance; and
- communication with customers.
The UK government has identified these principles as fundamental and achievable measures that should be reasonably expected from organisations of any size, type or sector.
Self-sssessment or audit
Vendors can self-assess or opt for independent audits to demonstrate compliance. A self-assessment form has also been published to accompany the Code and is intended for use in internal compliance monitoring or can be shared with customers to provide software security assurance. The assurance approach for this Code of Practice has been developed to follow the National Crime Security Centre’s Cyber Resilience Testing Assurance Principles and Claims standards which derive a set of ideal-scenario claims that, if met, mean the software vendor is achieving the principles of the Software Security Code of Practice.
Skills
The Code notes that senior leaders should be accountable for ensuring that organisations fulfil the requirements of the Code and ensure that the relevant teams and individuals implementing the measures have the necessary skills and resources - this includes formal qualifications as well as on-the-job training and exposure to relevant knowledge (e.g. secure coding standards).
What’s next?
It remains for the moment to be seen whether the voluntary nature of the Code will limit its effectiveness, however the publication of the Code undoubtedly reflects the government’s ongoing focus on codifying minimum standards for technology providers to reduce cyber risk. A certification scheme is said to be “shared in due course”, promising to further bolster trust in software security.
/Passle/611cdc4cfac91e0bc434389f/SearchServiceImages/2025-05-20-05-30-01-659-682c13599523b9643dafe0e4.jpg)
/Passle/611cdc4cfac91e0bc434389f/SearchServiceImages/2025-05-19-11-15-44-054-682b12e0222e43b96efb1576.jpg)
/Passle/611cdc4cfac91e0bc434389f/SearchServiceImages/2025-05-16-10-05-34-488-68270dee89608ac7195a6884.jpg)