The UK government has issued a voluntary Software Security Code of Practice which has been developed to improve the security and resilience of software that organisations and businesses rely on. It aims to support software vendors and their customers in reducing the likelihood and impact of software supply chain attacks and other software resilience incidents. It contains 14 principles split across four themes. A Senior Responsible Owner should be appointed at senior leadership level to hold accountability for the principles being followed within their organisations.
Secure design and development
These principles aim to ensure that the software is appropriately secure when provided. The Senior Responsible Owner in vendor organisations shall gain assurance that their organisation achieves the following in relation to any software or software services sold by their organisation:
- Follow an established secure development framework.
- Understand the composition of the software and assess risks linked to the ingestion and maintenance of third-party components throughout the development lifecycle.
- Have a clear process for testing software and software updates before distribution.
- Follow secure by design and secure by default principles throughout the development lifecycle of the software.
Build environment security
These principles ensure that the appropriate steps are taken to minimise the risk of build environments becoming compromised and protect the integrity and quality of the software. The Senior Responsible Owner in vendor organisations shall gain assurance that their organisation achieves the following in relation to any software or software services sold by their organisation:
- Protect the build environment against unauthorised access.
- Control and log changes to the build environment.
Secure deployment and maintenance
These principles aim to ensure that the software remains secure throughout its lifetime, to minimise the likelihood and impact of vulnerabilities. The Senior Responsible Owner in vendor organisations shall gain assurance that their organisation achieves the following in relation to any software or software services sold by their organisation:
- Distribute software securely to customers.
- Implement and publish an effective vulnerability disclosure process.
- Have processes and documentation in place for proactively detecting, prioritising and managing vulnerabilities in software components.
- Report vulnerabilities to relevant parties where appropriate.
- Provide timely security updates, patches and notifications to customers.
Communication with customers
These principles aim to ensure that vendor organisations provide sufficient information to customers to enable effective risk and incident management. The Senior Responsible Owner in vendor organisations shall gain assurance that their organisation achieves the following in relation to any software or software services sold by their organisation:
- Provide information to the customer specifying the level of support and maintenance provided for the software being sold.
- Provides at least one year’s notice to customers of when the software will no longer be supported or maintained by the vendor.
- Make information available to customers about notable incidents that may cause significant impact to customer organisations.
The Department for Science, Innovation and Technology and the National Cyber Security Centre (NCSC) have written a joint article explaining the background to the Software Security Code of Practice. The NCSC has also provided an assurance process.
