Geo Focus: The United Kingdom,
Geo-Specific,
Next-Generation Technologies & Secure Development
Proposed Code of Practice Aims to Establish Standard Security Guidelines for Software Vendors
The British government has put forth a proposal aimed at enhancing software security, which has garnered widespread approval from industry vendors. These vendors suggest that adopting voluntary best practices will help bolster defenses against cyber threats.
In August 2024, the U.K. Department for Science, Innovation and Technology released a draft of a voluntary code of practice specifically for software vendors. This framework comprises 21 steps designed to secure the software supply chain. The government initiated a consultation process, seeking insights and feedback from industry stakeholders regarding the implications of the proposed measures (refer to UK Software Security Code of Practice Earns Mixed Reviews).
An analysis reflecting industry feedback published on Monday indicated that 81% of the respondents welcomed the government-issued guidance. “The call for views demonstrated significant backing for a Code of Practice for Software Vendors,” stated the Department for Science, Innovation and Technology (DSIT). “Of the 72 respondents, 81% concurred that the government should provide guidelines to help software vendors understand what constitutes ‘good’ cybersecurity.”
During a preliminary consultation in 2023, many participants articulated concerns that software vendors lacked clarity regarding the minimum security standards expected from their products. The proposed code is intended to bridge this knowledge gap.
The guidelines advocate that software companies conduct pre-production testing of their products, enforce multifactor authentication for developers, and ensure prompt reporting and remediation of vulnerabilities.
As Simon Phillips, CTO of SecureAck, remarked, “In order to enforce meaningful enhancements, it is crucial for governments to hold software vendors and their executives accountable for any security deficiencies, as this will compel the industry to elevate its standards.” He cautioned that the voluntary nature of the guidelines might lead to them becoming a mere “tick box” exercise.
In the near future, the U.K. government may transition to mandatory requirements in the form of the Cyber Security and Resilience Bill (see: UK Labour Introduces Cyber Security and Resilience Bill).
Feryal Clark, the Parliamentary Under-Secretary of State at the Department for Science, Innovation and Technology, emphasized, “The forthcoming Cyber Security and Resilience Bill will fortify our defenses while ensuring that an increasing number of crucial and digital services are adequately protected.” She further pledged to collaborate closely with industry, public sector organizations, and regulators to facilitate compliance with the new obligations under the bill.
