What the UK’s New Voluntary Software Security Code of Practice Means for Your Business

0
648

Author: Liam Humphreys, Director of Clear Path Security Ltd


The UK government has released a new Voluntary Software Security Code of Practice, aimed at improving software security across the digital supply chain. While non-binding, this code sets out clear expectations for software vendors, especially those selling to public sector organisations.

For small- to medium-sized enterprises (SMEs), the Code offers a practical framework to assess and improve your organisation’s software development and maintenance practices. Compliance won’t just boost security, it can be a product enabler, a market differentiator providing trust and confidence in your solutions with customers, regulators, and partners.

What Is the Code?

The Code outlines 14 security principles, grouped into four areas:

  1. Secure Design and Development
  2. Build Environment Security
  3. Secure Deployment and Maintenance
  4. Communication with Customers

At its core is the requirement for a Senior Responsible Owner (SRO), a senior leader who is accountable for ensuring these principles are implemented and maintained. The Code uses the Principles-Based Assurance (PBA) approach developed by the NCSC, helping organisations map their practices against each principle using claims and evidence.

Summary of the 14 Principles

  1. Secure Design and Development

Software must be built with security as a fundamental priority. Key expectations include:

  • Adhering to recognised secure development frameworks (e.g., OWASP SAMM, Microsoft SDL).
  • Managing risks from third-party components throughout the lifecycle.
  • Secure testing before release with documented processes.
  • Embracing “secure by design” and “secure by default” principles.
  1. Build Environment Security

The integrity of the software supply chain hinges on the security of the build environment:

  • Prevent unauthorised access to build systems.
  • Log and control changes within build environments and detect compromise early.
  1. Secure Deployment and Maintenance

Security doesn’t stop at release. Software must remain secure throughout its lifecycle:

  • Use secure channels to deliver software and updates.
  • Maintain a clear vulnerability disclosure process.
  • Ensure suitable processes and documentation to detect, prioritise, and manage vulnerabilities in software components.
  • Notify relevant parties of vulnerabilities
  • Provide timely patches and notifications to clients.
  1. Communication with Customers

Transparency is essential to managing risk:

  • Specify the level of support and maintenance customers will be provided with procured software.
  • Inform customers of support timelines and end-of-life dates with at least one year’s notice.
  • Provide clear details on significant security incidents affecting the software.

Why This Code Matters for SMEs

  1. Prepares You for Future Regulation

Although voluntary today, the Code lays the groundwork for possible future legislation, especially in regulated industries and public sector supply chains. Early adoption demonstrates maturity and readiness.

  1. Supports Risk Management and Trust

Cybersecurity is a key factor in procurement and partnership decisions. Implementing the Code shows that your organisation is serious about protecting customers, data, and systems. Providing required trust and assurance to would be buyer’s, partners, insurers and regulators.

  1. Helps You Align with Industry Best Practice

By following established secure development and deployment practices, your team reduces the chance of costly incidents, reputational damage, or breaches. The Code reinforces many of the same principles found in ISO/IEC 27001, NIST, and other global standards ensuring continued compliance or easier first time certification to additional standards.

  1. Makes Software More Defensible by Design

Embedding security from the outset is more cost-effective and efficient than retrofitting controls after vulnerabilities are exploited. The Code offers a systematic way to raise your software assurance baseline.

What Should you do next?

  1. Appoint a Senior Responsible Owner for software security, ideally someone with visibility across product, engineering, and security functions.
  2. Conduct a self-assessment based on the Assurance, Principles & Claims (APC) framework.
  3. Review your secure development lifecycle and compare it to the Code’s principles.
  4. Engage product and engineering teams early to embed secure design and testing practices.
  5. Evaluate your disclosure, support, and customer communication processes to ensure they’re transparent and fit for purpose.