Government seeks views on code of practice to improve the resilience and security of software

Announced by Minister Saqib Bhatti at CyberUK24, the Department for Science, Innovation and Technology has launched a Call for Views on a draft code of practice for software vendors to improve the resilience and security of software – which has become so widespread in day-to-day organizational operations. Government’s intention to propose this policy intervention was outlined in its response to last year’s call for views on software resilience and security for businesses and organisations.

This draft voluntary code of practice's purpose is to prevent common mistakes in software development and distribution, and to improve information sharing between software vendors and their customers. By addressing these issues, we can reduce the likelihood and impact of software supply chain attacks that impact organisations across all sectors.  

The Code of Practice for Software Vendors sets out the fundamental security and resilience measures that should be expected of all organisations which develop or sell software used by businesses and other organisations. The Call for Views is looking for feedback on the proposed design of the code, the market need for it, the audience it should be addressing, as well as on how it should be implemented and on the proposed supporting materials.

The Call for Views on the Software Vendors Code of Practice will close at 11.59pm on Friday 9th August.

techUK will be submitting a response on behalf of members. If you would like to contribute to techUK’s response, please contact Annie Collings at [email protected].

Members are also encouraged to submit your own response to the Call for Views.

Please note that government is also consulting on a second – and closely linked – code of practice which sets out requirements for developers on how to implement a secure-by-design approach as part of their AI design and development process. You can find out more about the Call for Views on the Cyber Security of AI here.

More on the proposed Code of Practice for Software Vendors

The Code of Practice for Software Vendors, which has 21 provisions over four principles, outlines the fundamental security and resilience measures that should reasonably be expected of all organisations that develop and/or sell software to organisational customers. It includes guidance on how software should be developed, built, deployed and maintained, and how vendors can communicate effectively with customers that procure their software. In engaging with this Code of Practice, software vendors will significantly improve the cyber resilience of their product and services. 

The scope of the voluntary Code of Practice is to support any organisation developing and/or selling solely software products or services, or organisations selling digital products and services that contain software. Although the Code addresses risks with any type of software, including application or system software, it is most relevant to the sale and distribution of proprietary software as it sets out the responsibilities of software vendors in the context of business-to-business relationships.

Regarding open-source software, the developer/maintainer bears no formal commitment for the ongoing maintenance and security of products which must be managed by end-users or proprietary developers using open-source code in products made for sale. As such, aspects of the Code of Practice describing the relationship between the software vendor and procuring organisation may not be relevant to open source. Open-source developers may find aspects of the Code useful should they choose to use it and government is encouraging open-source software developers to observe the Code’s principles and the accompanying guidance where possible.   

Organisations procuring software also have certain responsibilities for the resilience and security of their own organisations, so the Call for Views document also sets out how organisations procuring software can take steps to ensure the resilience of their supply chain, including using the Code of Practice for Software Vendors to inform their understanding of the risks associated with the software they’re buying.

The principles of the Software Vendors Code of Practice are designed to be flexible and adaptable to suit different sizes and structures of organisations and the different products and services produced. They are focused on the fundamental principles that, if met, would constitute a reasonable and robust approach to software security for any software vendor.

The 4 principles of the Code of Practice are:

  1. Secure design and development

The Senior Responsible Officer in vendor organisations shall do the following: 

1.1 Ensure the organisation follows an established secure development framework.  

1.2 Ensure the organisation understands the composition of their software products and services and that risks linked to the ingestion and maintenance of third-party components, including open-source components, are assessed throughout the lifecycle.  

1.3 Ensure the organisation has a clear process for testing software before distribution.  

1.4 Ensure that the organisation follows secure by default principles throughout the development lifecycle of the product.  

The Senior Responsible Officer in vendor organisations should do the following: 

1.5 Ensure secure by design principles are followed throughout the development process. 

1.6 Encourage the use of appropriate security tools and technologies to make sure that the default options throughout development and distribution are secure.

  1. Build environment security

The Senior Responsible Officer in vendor organisations shall do the following: 

2.1 Ensure the build environment is protected against unauthorised access.  

The Senior Responsible Officer in vendor organisations should do the following: 

2.2 Ensure changes to the environment are controlled and logged.  

2.3 Ensure you are using a build pipeline you trust.  

  1. Secure deployment and maintenance

The Senior Responsible Officer in vendor organisations shall do the following:  

3.1 Ensure that software is distributed securely to customers. 

3.2 Ensure the organisation implements and publishes an effective vulnerability disclosure process. 

3.3 Ensure the organisation has processes in place for proactively detecting and managing vulnerabilities in software components it uses and software it develops, including a documented process to assess the severity of vulnerabilities and prioritise responses.  

3.4 Ensure that vulnerabilities are appropriately reported to the relevant parties. 

3.5 Ensure the organisation provides timely security updates, patches and notifications to its customers.  

Senior leaders in vendor organisations should do the following:  

3.6 Make a public affirmation that the organisation would welcome security researchers to test software products and services provided by the organisation as part of its vulnerability disclosure process.  

  1. Communication with customers

The Senior Responsible Officer in software vendor organisations shall do the following:  

4.1 Ensure the organisation provides information to the customer, in an accessible way, specifying the level of support and maintenance provided for the software product/ service being sold. 

4.2 Ensure the organisation provides at least 1 year’s notice to customers, in an accessible way, of when the product or service will no longer be supported or maintained by the vendor.  

4.3 Ensure information is made available to customers in an appropriate and timely manner about notable incidents that may cause significant impact to customer organisations.  

The Senior Responsible Officer in vendor organisations should do the following:  

4.4 Ensure that high level information about the security and resilience standards, frameworks, organisational commitments and procedures followed by the organisation is made available to customers. 

4.5 Ensure that the organisation proactively supports affected customers during and following a cyber security incident to contain and mitigate the impacts of an incident. How this would be done should be documented and agreed in contracts with the customer.  

4.6 Provide customer organisations with guidance on how to use, integrate, and configure the software product or service securely. 

Government is also developing further tools and guidance aimed at supporting organisations procuring software to build the principles and provisions of this Code of Practice into their procurement processes.

The Call for Views document also states that future interventions will include standardised contractual clauses that organisations can use in their contracts with software suppliers, and work is ongoing to explore options for accreditation or assurance against the Software Vendors Code of Practice and to explore demand by targeting particular customer groups, such as through government procurement. The government is also exploring further support for software vendors, and further detail on the broader package of software resilience and security information can be found here.  

The Call for Views document includes a list of the technical controls which set out the minimum set of actions that a software vendor needs to demonstrate to provide confidence in the software resilience of their product or service. These controls are designed to be objective and outcome-focused, giving organisations the flexibility to innovate and implement security solutions appropriate for their products and services.

The document also notes that implementation guidance will be provided to help guide teams on how to implement the Code of Practice and demonstrate the technical controls, and this will be based on technical guidance developed by the NCSC and its partners. (Annex B provides an example of implementation guidance.)

What would happen once the voluntary Code is up and running?

The proposed Code is voluntary, however, government will continue to work with software providers and procurers to monitor and evaluate the uptake and effectiveness of the Code, to determine if regulatory action is needed in the future.

You can view the full Call for Views on the Software Vendors Code of Practice here.  

Which cyber security codes of practice are relevant to my organisation?

DSIT has produced several cyber security codes of practice as part of government’s broader approach to improve baseline cyber security practices and cyber resilience across the UK. A modular approach has been developed to help organisations easily identify which codes (and which provisions within the codes) are relevant to them according to their business functions and the types of tech they use or manufacture. In the case of the Software Vendor Code of Practice, government’s expectation is that relevant organisations should, at a minimum, also adhere to the provisions in the Cyber Governance Code of Practice. Software is a key component of Artificial Intelligence, so relevant organisations will also want to consider this draft code of practice too. Find out more about government’s cyber security codes of practice here.

 

Jill Broom

Jill Broom

Head of Cyber Resilience, techUK

Annie Collings

Annie Collings

Programme Manager, Cyber Resilience, techUK

 

Related topics