The UK government has published the Software Security Code of Practice which aims to clarify the expectations on vendors and create a consistent standard of software security across the market.
News about recent cyber-attacks affecting UK retailers makes the publication, on 7 May 2025, of the Software Security Code of Practice (Code) more timely than ever. The Code was produced in conjunction with the National Cyber Security Centre (NCSC), industry experts and academics and takes account of feedback from a public call which took place last year.
The Code is designed to help software vendors “establish a consistent baseline of software security and resilience across the market” and should be read in conjunction with other codes of practice and guidance, such as those provided by the Department for Science, Innovation and Technology.
The Code is made up of 14 principles, which fall into the following categories:
- Secure design and development – to ensure that software is secure when it is supplied to the customer. Vendors should develop software in accordance with a secure development framework, understand the composition of the software (and particularly the third-party elements via which risk could be imported), carry out testing and continue to adhere to secure deign principles through the development lifecycle of the software.
- Build environment security – to guard against unauthorised access to the build environment.
- Secure deployment and maintenance – to help ensure security within the downstream supply chain and in the maintenance of the software.
- Communication with customers – vendors should provide clear information about the support and maintenance supplied with the software, advance notice if they plan to stop support/maintenance, and information about security incidents which may cause significant impact to customers. This should ensure that customers have the information needed for risk and incident management purposes, thereby reducing the risk that the security of their software will be compromised.
The Code was originally aimed at vendors of open-source software but now applies to all organisations that develop and sell any software or software services, regardless of size or sector.
Although the Code is voluntary, vendors may find that their customers will expect them to comply with it, whether through a self-assessment process or via an independent audit. It may not be just software vendors/developers who find they need to comply with the Code – others in the supply chain, such as distributors and resellers and those involved in maintenance and support, may find their customers’ due diligence processes include checking for compliance with the Code.
The Code places the responsibility of compliance on senior leaders within organisations and this responsibility extends to ensuring that the relevant employees have the necessary skills, resources and training to comply with the Code. It does not set out any practical guidance for vendors, but the NCSC has provided some implementation guidance to help vendors understand how they can meet the principles. The NCSC has also provided a template self-assessment document that can be used for internal monitoring purposes and/or when responding to a customer’s request to demonstrate compliance.
It is uncertain whether the voluntary nature of the Code will impact its efficacy, but we understand that the government is looking at a possible certification scheme, indicating that they expect the Code’s principles will become more embedded within the sector over time. This being the case early adoption of the Code may benefit vendors and others within the supply chain by reducing the need to play “catch-up” at a later stage.
If you have any questions as a result of this article, please contact: [email protected]
