The NCSC’s new Software Security Code of Practice is a “clear call to developers” to beef up secure by design practices, according to a senior cybersecurity expert.
James Neilson, SVP International at OPSWAT, said the new rules introduced by the security agency will play a key role in encouraging organizations to build more secure software solutions.
“This new code is a welcome move,” he said. “It isn’t just a checklist — it’s a call to get serious about end-to-end security. A software supply chain is only as strong as its weakest link.”
The new code of practice has been introduced following a review conducted by the agency last year. At the time, the NCSC said technology markets “do not incentivize organizations to develop software that is ‘secure by default’.”
“Understandably, organizations will prioritize growth and profit rather than the security and resilience of their products and services,” the NCSC said in a blog post unveiling the code.
“When the importance of cybersecurity is recognized, we know from research that software developers are not necessarily security experts, and may find it hard to efficiently build software that is secure using tools that are often inaccessible and complicated.”
While the new code of practice is voluntary, the NCSC nonetheless believes it will provide a clear “market baseline” for software security. What this means is that software developers and suppliers are now expected to adhere to a minimum set of standards to ensure products are resilient to growing security threats.
What the Software Security Code of Practice covers
The new code of practice contains 14 core principles, split across four themes, according to the NCSC. Organizations adhering to the code will be required to appoint a ‘Senior Responsible Owner’, who will hold a senior leadership role, to ensure these principles are met.
The four key themes outlined in the code include:
- Secure design and development
- Build environment security
- Secure deployment and maintenance
- Communication with customers
A particular focus has been placed on the ‘secure design and development’ theme, which applies predominantly to software vendors and encourages them to follow an established secure development framework.
The Senior Responsible Owner will also be required to assess the risks associated with software developed at their respective organization, as well as any risks linked to the ingestion and maintenance of third-party components throughout the development lifecycle”.
Elsewhere, the ‘secure deployment and maintenance’ theme seeks to bolster software and application security “throughout its lifetime”.
This requires vendors to distribute software to customers that is secure at the point of sale and to publish an “effective vulnerability disclosure process” to ensure customers are made aware of any security risks.
All told, the agency believes these rules will have a positive downstream effect, improving supply chain security and preventing costly remediation processes for developers.
“The Code provides a framework to help organizations measure their progress, identify improvements, and provide tangible evidence of their commitment to security,” the NCSC said in its blog post.
“It includes practical guidance to make clear to vendors what is required to ‘bake’ cybersecurity into all stages of the development life cycle. Doing this addresses cybersecurity problems at the root cause and prevents costly redesigns later on.”
What about open source software?
Notably, the NCSC said open source developers and maintainers are “not considered the primary audience” with respect to the new code of practice.
“This Code of Practice is most relevant to the sale and distribution of proprietary software as the Code aims to set out the responsibilities of software vendors in the context of business-to-business commercial relationships,” the agency said.
The NCSC added that open source developers and maintainers bear “no formal commitment” with regard to the security of their supply chain or the maintenance of their code.
In other words, responsibility for managing any risks associated with open source code rests on the end-user or proprietary developer using this in their software.
Regardless, Neilson noted that the new code of practice will prompt organizations to consider the potential risks here, which again will ultimately bolster broader supply chain security.
“Software developers often use third-party components, including open source software, to speed up development and add features,” he said. “However, these may contain known or newly discovered vulnerabilities, or even ones introduced maliciously.”
“By securing their software supply chains — scanning for hidden threats, validating SBOMs, securing build environments, and ensuring that what is delivered is exactly what was intended — vendors can build greater resilience and trust into their software.”
MORE FROM ITPRO
- Software security debt is spiraling out of control
- US lawmakers are pushing for a shift to memory safe programming languages, but will it improve software security?
- NCSC CTO says what everyone is thinking about software security
-
Microsoft could be preparing for a crackdown on remote workNews The tech giant is the latest to implement stricter policies around hybrid working without requiring a full five days in the office
-
JetBrains CEO on how developers must transform with AIInterview There may still be a place for strong developer progression in the age of AI, if workers can adapt to rapid changes
-
84% of software developers are now using AI, but nearly half 'don't trust' the technology over accuracy concernsNews AI coding tools are delivering benefits for developers, but they’re still worried about security and compliance
-
The NCSC just urged enterprises to ditch Windows 10 – here’s what you need to knowNews The UK cyber agency says those that haven’t migrated to Windows 11 should do so immediately
-
Enterprises need to sharpen up on software supply chain securityNews A new report from LevelBlue shows many enterprises are failing on software supply chain security, despite growing risks.
-
MCP servers used by developers and 'vibe coders' are riddled with vulnerabilities – here’s what you need to knowNews Security researchers have issued a warning over rampant vulnerabilities found in MCP servers used by developers and 'vibe coders'.
-
AI-generated code is in vogue: Developers are now packing codebases with automated code – but they’re overlooking security and leaving enterprises open to huge risksNews While AI-generated code is helping to streamline operations for developer teams, many are overlooking crucial security considerations.
-
Shifting left might improve software security, but developers are becoming overwhelmed – communication barriers, tool sprawl, and ‘vulnerability overload’ are causing serious headaches for development teamsNews Developers are becoming overwhelmed amid the 'shift left' in development practices, new research shows.
-
CISOs take the back seat as dev teams claim responsibility for application securityNews Development and engineering teams are steering security and budget strategies
-
Red teaming comes to the fore as devs tackle AI application flawsNews Only a third of organizations employ adequate testing practices in AI application development, according to new research, prompting calls for increased red teaming to reduce risks.
