A new voluntary Software Security Code of Practice has been launched with the stated aim of supporting software vendors and their business customers to “reduce the likelihood and impact of software supply chain attacks and other software resilience incidents”.

The Code of Practice is part of the broader programme of work undertaken by the Government in the area of cyber security, including the recently-published Cyber Governance Code of Practice, on which we commented here.

Whilst primarily relevant to the sale and distribution of proprietary software in B2B contexts, the Code is described as setting out “the fundamental security and resilience measures that should be reasonably be expected from all organisations that develop and/or sell software to businesses or other organisations. This includes those that supply standalone software or software services, or organisations selling goods or services that contain software”.

The Code contains 14 principles structured around four themes:

1. Secure Design and Development

• Follow an established secure development framework.
• Understand the composition of the software and assess risks linked to the ingestion and maintenance of third-party components throughout the development lifecycle.
• Have a clear process for testing software and software updates before distribution.
• Follow secure by design and secure by default principles throughout the development lifecycle of the software

2. Build Environment Security

• Protect the build environment against unauthorised access.
• Control and log changes to the build environment.

3. Secure Deployment and Maintenance

• Distribute software securely to customers.
• Implement and publish an effective vulnerability disclosure process.
• Have processes and documentation in place for proactively detecting, prioritising and managing vulnerabilities in software components.
• Report vulnerabilities to relevant parties where appropriate.
• Provide timely security updates, patches and notifications to customers.

4. Communication with Customers

• Provide information to the customer specifying the level of support and maintenance provided for the software being sold.
• Provides at least one year’s notice to customers of when the software will no longer be supported or maintained by the vendor.
• Make information available to customers about notable incidents that may cause significant impact to customer organisations.

The Code is also accompanied by a self-assessment form which is intended both for internal compliance monitoring and for vendors to share with their customers to provide software security assurance. The Government is also working to develop a certification scheme in due course.

To read more, click here.