On 7 May 2025, the government published a new voluntary Software Security Code of Practice for software vendors together with an assurance process.

What is the Code for?

The Code sets out fourteen principles aimed at supporting software vendors and their business customers in reducing the likelihood and impact of software supply chain attacks and other software resilience incidents. Where possible, the Code reflects internationally recognised best practices, including those outlined in the US Secure Software Development Framework and the EU's Cyber Resilience Act. 

Which organisations is the Code aimed at?

The Code sets out fundamental security and resilience measures that should be reasonably expected from all organisations developing and/or selling software to businesses or other organisations. This includes software services and standalone software or goods that contain software, but it is most relevant to the sale and distribution of proprietary software in the context of B2B relationships. The government suggests that the main target audiences are software developers, distributors and resellers. While the Code is not aimed primarily at open source software developers and maintainers, the government suggests aspects of it may still be a useful tool for the open source community. 

Who are the main stakeholders?

At a more granular organisational level, the Code is aimed primarily at senior leaders in software vendor organisations. A high level of technical understanding of the issues is not required, but they are the ones who would need to oversee adherence. The Code is also relevant to other functions and roles including specialist technical teams covering software development, design and maintenance, as well as teams dealing with customers. Businesses and organisations procuring software may also want to refer to the Code in negotiations or to inform agreements and contracts with suppliers. 

What are the principles?

Secure design and development 

• follow an established secure development framework
• understand the composition of the software and assess risks linked to the ingestion and maintenance of third-party components throughout the development cycle
• have a clear process for testing software and software updates before distribution
• follow secure by design and default principles throughout the development lifecycle.

Building environment security 

• protect the build environment against unauthorised access
• control and log changes to the build environment.

Secure deployment and maintenance 

• distribute software securely to customers
• implement and publish an effective vulnerability disclosure process
• have processes and documentation in place for proactively detecting, prioritising and managing vulnerabilities in software components
• report vulnerabilities to relevant parties where appropriate
• provide timely security updates, patches and notifications to customers.

Communication with customers

• provide information to the customer specifying the level of support and maintenance provided for the software being sold
• provide at least one year's notice to the customer when software will no longer be supported or maintained by the vendor
• make information available to customers about notable incidents that may cause a significant impact to customer organisations.

Assurance

Customers can assure against the Code including by requiring vendors to self-assess compliance using Assurance Principles and Claims (APCs) which are based on the NCSC Assurance Principles and Claims Standards document, or by requiring an independent audit against the standards. The government is developing a certification scheme based on the compliance process. 

Part of the picture

The Code is voluntary, but the government says that adherence to the principles it covers would represent a robust approach to software security and resilience, particularly in terms of the foundations of digital technologies and services that connect digital supply chains. It forms part of the broader suite of cyber security guidance issued by DSIT and should be read in conjunction with other relevant Codes of Practice, particularly the Cyber Governance Code of Practice. Technology-specific codes may also be relevant, for example, relating to AI and Apps and App Stores.

It's fair to say that the Code is not particularly detailed. In fact, the fourteen principles were whittled down from an original 21 on consultation. However, these are just the foundational principles. The real value most likely lies in the assurance process and, ultimately, once available, a certification. As the government itself says, there is far more for software vendors to consider than this Code which does beg the question as to just how useful it is. However, it can certainly be used as a checklist or entry point to a focus on cyber security for software vendors, and to provide reassurance for their customers.