At the government organised event “CyberUK” the Government published a new voluntary Software Security Code of Practice (the Code) (Software Security Code of Practice – GOV.UK) which sets out essential steps that every organisation who develops or sells software should be taking to secure their products. This is particularly relevant following the recent high-profile cyber-attacks that have occurred at major retailers such as Marks & Spencer. It seeks to reduce the likelihood and impact of software supply chain attacks and other software resilience incidents, which are often avoidable weaknesses in software development and maintenance practices.

If you are a software developer or if you are a business that is either buying or selling software, the new Code should be considered to establish a consistent baseline of software security and resilience across the market. The Code sets out fundamental security and resilience measures that should be reasonably be expected by software purchasers.

Implementation of the principles in the Code may vary depending on the size and/or sector of your business, or the type of software being produced. However, the government has provided helpful guidance to assist you in finding the right implementation for your organisation.

The 14 practical principles are split across 4 key themes and are as set out below:

Secure design and development

• Follow an established secure development framework.
• Understand the composition of the software and assess risks linked to the ingestion and maintenance of third-party components throughout the development lifecycle.
• Have a clear process for testing software and software updates before distribution.
• Follow secure by design and secure by default principles throughout the development lifecycle of the software.

Build environment security

•  Protect the build environment against unauthorised access.
•  Control and log changes to the build environment.

Secure deployment and maintenance

• Distribute software securely to customers.
• Implement and publish an effective vulnerability disclosure process.
• Have processes and documentation in place for proactively detecting, prioritising and managing vulnerabilities in software components.
• Report vulnerabilities to relevant parties where appropriate.
• Provide timely security updates, patches and notifications to customers.

Communication with customers

• Provide information to the customer specifying the level of support and maintenance provided for the software being sold.
• Provides at least 1 year’s notice to customers of when the software will no longer be supported or maintained by the vendor.
• Make information available to customers about notable incidents that may cause significant impact to customer organisations.

But it’s voluntary?

Whilst following the Code is voluntary, cyber security is and will remain a key consideration for many organisations. The new Code has the potential to improve software security in the future, by providing software businesses with guidance to assist them and in return provide customers with trust in software products.

The government is currently exploring introducing a certification scheme which means getting a head start on this now may put you ahead of the game.

If you would like to discuss how this impacts your business and what steps you need to take, contact Caprice Coulson.