UK government launches industry 'ambassadors' scheme to champion software security improvements
The scheme aims to boost software supply chains by helping organizations implement the Software Security Code of Practice
The UK government has launched a new scheme to boost adoption of the Software Security Code of Practice by appointing a series of industry champions.
Under the plans, a cohort of ‘Software Security Ambassadors’ will promote the code of practice across various different sectors, showcasing examples of practical implementation and giving feedback to inform future policy improvements.
The first batch of participating organizations includes the Department for Science, Innovation, and Technology (DSIT) itself, along with the National Cyber Security Centre (NCSC).
Accenture, Cisco, ISACA, Lloyds Banking Group, Sage, Palo Alto Networks, and others have also backed the scheme.
"By acting as ambassadors, signatories are committing to a process of transparency, development and continuous improvement. The implementation of this code of practice will take time and, in doing so, may bring to light issues that need to be addressed," DSIT said in a statement confirming the announcement.
"Signatories and policymakers will learn from these issues as well as the successes and challenges for each organization and, where appropriate, will share information to help develop and strengthen this government policy."
What is the Software Security Code of Practice?
The Software Security Code of Practice was unveiled by the NCSC in May last year, setting out a series of voluntary principles defining what good software security looks like across the entire software lifecycle.
Aimed at technology providers and organizations that develop, sell, or procure software, the code offers best practices for secure design and development, build-environment security, and secure deployment and maintenance.
The code also emphasizes the importance of transparent communication with customers on potential security risks and vulnerabilities.
Developed with the NCSC, the code is designed to reflect internationally recognized best practices, such as the US Secure Software Development Framework (SSDF) and the EU’s Cyber Resilience Act (CRA).
Software security in the spotlight
The launch of the code came in direct response to growing concerns surrounding software security on both sides of the Atlantic. In the US, for example, the Secure by Design Pledge was launched by CISA in 2023.
This voluntary scheme asks software developers and providers to place a stronger emphasis on product security.
According to figures from the DSIT, more than half (59%) of organizations experienced software supply chain attacks in the past year, underlining the growing risks faced by UK enterprises and consumers alike.
In a separate survey from ISC2, more than half of respondents identified software vulnerabilities in supplier products as the most disruptive cybersecurity threat to their organisation’s supply chain.
ISC2 said it plans to help drive adoption of the code by promoting awareness through educational and thought leadership content, and referencing it in relation to certifications, training, and guidance that support secure software development.
It will also work with organizations across the software supply chain to encourage practical implementation and require its own partners to incorporate it.
“Promoting secure software practices that strengthen the resilience of systems underpinning the economy, public services and national infrastructure is central to ISC2’s mission,” said Tara Wisniewski. ISC2 EVP for advocacy and strategic engagement.
“The code moves software security beyond narrow compliance and elevates it to a board-level resilience priority. As supply chain attacks continue to grow in scale and impact, a shared baseline is essential and through our global community and expertise, ISC2 is committed to helping professionals build the skills needed to put secure-by-design principles into practice.”
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
So much for ‘trust but verify’: Nearly half of software developers don’t check AI-generated code – and 38% say it's because it takes longer than reviewing code produced by colleaguesNews A concerning number of developers are failing to check AI-generated code, exposing enterprises to huge security threats
-
AI-generated code is now the cause of one-in-five breaches – but developers and security leaders alike are convinced the technology will come good eventuallyNews AI coding tools now write 24% of production code globally, but it's risky and causing issues for developers and security practitioners alike.
-
US Senator calls for Microsoft FTC probe over ‘gross cybersecurity negligence’ – Ron Wyden claims the tech giant has provided ‘dangerous, insecure software’ to the US governmentNews Ron Wyden, a Democratic senator from Oregon, has written to the chair of the FTC calling for an investigation into Microsoft's cyber practices.
-
84% of software developers are now using AI, but nearly half 'don't trust' the technology over accuracy concernsNews AI coding tools are delivering benefits for developers, but they’re still worried about security and compliance
-
The NCSC just urged enterprises to ditch Windows 10 – here’s what you need to knowNews The UK cyber agency says those that haven’t migrated to Windows 11 should do so immediately
-
Enterprises need to sharpen up on software supply chain securityNews A new report from LevelBlue shows many enterprises are failing on software supply chain security, despite growing risks.
-
MCP servers used by developers and 'vibe coders' are riddled with vulnerabilities – here’s what you need to knowNews Security researchers have issued a warning over rampant vulnerabilities found in MCP servers used by developers and 'vibe coders'.
-
AI-generated code is in vogue: Developers are now packing codebases with automated code – but they’re overlooking security and leaving enterprises open to huge risksNews While AI-generated code is helping to streamline operations for developer teams, many are overlooking crucial security considerations.
