Cyber security supply chain risks are growing, and attacks on vendors and other third parties cause severe disruption to businesses. For example, in recent years we have seen many incidents that have involved threat actors compromising third-party software used by a significant number of customers.
With that background, on May 7, 2025, the National Cyber Security Centre (“NCSC”) and the Department of Science, Innovation and Technology (“DSIT”) published the Software Security Code of Practice (the “Code”). The purpose of the Code is to help software vendors, and their customers reduce the likelihood and impact of software supply chain attacks by implementing good practices throughout the entire product lifecycle.
Who does the Code apply to? The Code applies to the following organizations, particularly those involved in business-to-business commercial relationships:
- Software developers and distributors
- Software resellers
- Software developers only
- Open-source developers and maintainers
The Code contains 14 principles that each sit within four themes. The 14 principles cover security and resilience measures that organizations should implement to mitigate cyber risks.
Whilst compliance with the Code is voluntary, it contains useful guidance and industry best practice to assist senior leaders in mitigating cyber security risks.
Secure Design and Development
- Established Secure Development Framework: Follow a structured approach integrating security throughout the software development lifecycle.
- Third-Party Component Risks: Understand the composition of software and assess risks linked to third-party components.
- Testing Processes: Implement clear processes for testing software and updates before distribution.
- Secure by Design: Embed security from inception and ensure secure configurations are enabled by default.
Build Environment Security
- Unauthorized Access Protection: Safeguard the build environment against unauthorized access.
- Change Control and Logging: Ensure changes to the build environment are controlled and logged.
Secure Deployment and Maintenance
- Secure Distribution: Ensure software is distributed securely to customers.
- Vulnerability Disclosure: Implement and publish an effective vulnerability disclosure process.
- Proactive Vulnerability Management: Detect, prioritize, and manage vulnerabilities in software components.
- Vulnerability Reporting: Report vulnerabilities to the relevant parties where appropriate.
- Timely Security Updates: Provide timely security updates, patches, and notifications to customers.
Communication with Customers
- Support and Maintenance Information: Provide clear information about the level of support and maintenance that is being provided by an organization for the software in question.
- Notice of End of Support: Give at least one (1) year’s notice before ending support or maintenance.
- Incident Information: Inform customers about notable incidents that may significantly impact them.
Assurance and Self-Assessment
To accompany the Code, the NCSC and DSIT has produced a self-assessment form. Organisations may use the form for internal compliance purposes or to provide software security assurances to customers. Additionally, the NCSC and DSIT are developing a certification scheme, the details of which are yet to be published.
Skills and Training
Senior leaders are responsible for ensuring their teams have the necessary skills and resources to implement the Code. The NSCS and DSIT expect that individuals will have formal qualifications and receive on-the-job training and exposure to relevant knowledge (including secure coding standards).
Other Resources
Organizations deemed in scope of the Code should also make sure they consider obligations under other codes of practice including:
- Cyber Governance Code of Practice (as discussed in our previous article, available here)
- Code of Practice for the Cyber Security of AI (as applicable)
- Code of Practice for App Store Operators and App Developers (as applicable)
