The NCSC wants developers to get serious on software security
New voluntary rules outline software security best practices for vendors and developers


The NCSC’s new Software Security Code of Practice is a “clear call to developers” to beef up secure by design practices, according to a senior cybersecurity expert.
James Neilson, SVP International at OPSWAT, said the new rules introduced by the security agency will play a key role in encouraging organizations to build more secure software solutions.
“This new code is a welcome move,” he said. “It isn’t just a checklist — it’s a call to get serious about end-to-end security. A software supply chain is only as strong as its weakest link.”
The new code of practice has been introduced following a review conducted by the agency last year. At the time, the NCSC said technology markets “do not incentivize organizations to develop software that is ‘secure by default’.”
“Understandably, organizations will prioritize growth and profit rather than the security and resilience of their products and services,” the NCSC said in a blog post unveiling the code.
“When the importance of cybersecurity is recognized, we know from research that software developers are not necessarily security experts, and may find it hard to efficiently build software that is secure using tools that are often inaccessible and complicated.”
While the new code of practice is voluntary, the NCSC nonetheless believes it will provide a clear “market baseline” for software security. What this means is that software developers and suppliers are now expected to adhere to a minimum set of standards to ensure products are resilient to growing security threats.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
What the Software Security Code of Practice covers
The new code of practice contains 14 core principles, split across four themes, according to the NCSC. Organizations adhering to the code will be required to appoint a ‘Senior Responsible Owner’, who will hold a senior leadership role, to ensure these principles are met.
The four key themes outlined in the code include:
- Secure design and development
- Build environment security
- Secure deployment and maintenance
- Communication with customers
A particular focus has been placed on the ‘secure design and development’ theme, which applies predominantly to software vendors and encourages them to follow an established secure development framework.
The Senior Responsible Owner will also be required to assess the risks associated with software developed at their respective organization, as well as any risks linked to the ingestion and maintenance of third-party components throughout the development lifecycle”.
Elsewhere, the ‘secure deployment and maintenance’ theme seeks to bolster software and application security “throughout its lifetime”.
This requires vendors to distribute software to customers that is secure at the point of sale and to publish an “effective vulnerability disclosure process” to ensure customers are made aware of any security risks.
All told, the agency believes these rules will have a positive downstream effect, improving supply chain security and preventing costly remediation processes for developers.
“The Code provides a framework to help organizations measure their progress, identify improvements, and provide tangible evidence of their commitment to security,” the NCSC said in its blog post.
“It includes practical guidance to make clear to vendors what is required to ‘bake’ cybersecurity into all stages of the development life cycle. Doing this addresses cybersecurity problems at the root cause and prevents costly redesigns later on.”
What about open source software?
Notably, the NCSC said open source developers and maintainers are “not considered the primary audience” with respect to the new code of practice.
“This Code of Practice is most relevant to the sale and distribution of proprietary software as the Code aims to set out the responsibilities of software vendors in the context of business-to-business commercial relationships,” the agency said.
The NCSC added that open source developers and maintainers bear “no formal commitment” with regard to the security of their supply chain or the maintenance of their code.
In other words, responsibility for managing any risks associated with open source code rests on the end-user or proprietary developer using this in their software.
Regardless, Neilson noted that the new code of practice will prompt organizations to consider the potential risks here, which again will ultimately bolster broader supply chain security.
“Software developers often use third-party components, including open source software, to speed up development and add features,” he said. “However, these may contain known or newly discovered vulnerabilities, or even ones introduced maliciously.”
“By securing their software supply chains — scanning for hidden threats, validating SBOMs, securing build environments, and ensuring that what is delivered is exactly what was intended — vendors can build greater resilience and trust into their software.”
MORE FROM ITPRO
- Software security debt is spiraling out of control
- US lawmakers are pushing for a shift to memory safe programming languages, but will it improve software security?
- NCSC CTO says what everyone is thinking about software security

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.
-
Red teaming comes to the fore as devs tackle AI application flaws
News Only a third of organizations employ adequate testing practices in AI application development, according to new research, prompting calls for increased red teaming to reduce risks.
-
‘Frontier models are still unable to solve the majority of tasks’: AI might not replace software engineers just yet – OpenAI researchers found leading models and coding tools still lag behind humans on basic tasks
News AI might not replace software engineers just yet as new research from OpenAI reveals ongoing weaknesses in the technology.
-
Java developers are facing serious productivity issues: Staff turnover, lengthy redeploy times, and a lack of resources are hampering efficiency – but firms are banking on AI tools to plug the gaps
News Java developers are encountering significant productivity barriers, according to new research, prompting businesses to take drastic measures to boost efficiency.
-
Software security debt is spiraling out of control – remediation times have surged 47% in the last five years, and it’s pushing teams to breaking point
News Software security flaws are taking longer to fix than ever, with remediation times having grown by 47% in the last five years.
-
Why the CrowdStrike outage was a wakeup call for developer teams
News The CrowdStrike outage in 2024 has prompted wholesale changes to software testing and development lifecycle practices, according to new research.
-
It’s time to face the open source security problem
Opinion Software companies have built on open source for decades. Now they need to give back
-
The ultimate guide to getting your killer app off the ground
Industry Insight When building software, the process of designing, testing, prototyping, and perfecting your project is never ending
-
The best Python test frameworks
Best Make your Python code shine with these testing tools