Customers buying products are advised that they can require tech providers to undergo independent testing to demonstrate they have complied with a set of 14 principles set out by NCSC
The government has invited tech vendors to voluntarily sign up for a new Software Security Code of Practice created by experts from the National Cyber Security Centre.
As part of the NCSC’s annual CyberUK event, the code was issued this week by the Department for Science, Innovation and Technology. The document outlines 14 principles which have been created with the aim to “support software vendors and their customers in reducing the likelihood and impact of software supply chain attacks and other software resilience incidents”.
“Often, these kinds of attacks and disruptions are caused by avoidable weaknesses in software development and maintenance practices,” the code adds.
In a blog post introducing the guidelines, the NCSC said that it hopes that the publication of the code “marks the first step in establishing clear expectations for a market baseline with regards to cybersecurity”.
“We have tested the efficacy of each of the actions, ensuring they are proportionate to both the vulnerabilities they mitigate and the likely budget available – given that the 98% of the UK’s private-sector comprises of small businesses,” the blog added.
Customers buying products from software providers are advised that they can ask companies to demonstrate that they have adhered with the measures – and even require them to undergo “independent testing” to prove compliance.
“For this reason, the code is launched in partnership with a new assurance process that allows for a formal assessment of the resilience of connected products that have software elements,” the NCSC said. “Alternatively, vendors can self-assess… which will help vendors measure how well they are meeting the principles of the code – and suggests remedial actions should they fall short.”
Related content
- NCSC head warns of fundamental ‘contest for cyberspace’ as annual report shows 44% hike in most serious incidents
- Cyber Security Week: Analysis – how and where are attackers getting in?
- UK’s ‘next cyber crisis’ likely to come from mistake or misfortune – outgoing NCSC head
The code’s 14 principles are split into four “themes”: secure design and development; building environment security; secure deployment and maintenance; and communication with customers.
In the area of secure design, firms are encouraged to: “follow an established secure development framework…; understand the composition of software and assess risks…; have a clear process for testing software and software updates…; [and] follow secure-by-design and secure by default principles throughout the development lifecycle”.
To ensure the construction of a secure environment, the code sets out two principles: “protect the build environment against unauthorised access; [and] control and log changes to the build environment”.
Five tenets are put forward on the theme of secure deployment and maintenance: “distribute software securely…; implement and publish an effective vulnerability disclosure process; have processes and documentation in place for proactively detecting, prioritising and managing vulnerabilities…; report vulnerabilities to relevant parties, where appropriate; [and] provide timely security updates, patches and notifications to customers”.
In their communication with customers, vendors are given three instructional principles: “provide information to the customer specifying the level of support and maintenance provided for the software being sold; provide at least one year’s notice to customers of when the software will no longer be supported or maintained by the vendor; [and] make information available to customers about notable incidents that may cause significant impact to customer organisations”.
The introduction to the code sets out DSIT’s view that the principles “are relevant to any type of software supplied to business customers”.
“The government has identified these principles as fundamental and achievable measures that should be reasonably expected from organisations of any size, type or sector,” it says. “If carried out, these principles would represent a robust approach to software security and resilience, helping to secure the foundations of the digital technologies and services that connect digital supply chains.”
