Bug Busters: the UK's Master Plan for Software Vendor Security

The UK government has published a response to its call for views on a draft code of practice for software vendors. This code aims to enhance software security and resilience across the digital economy, and was developed in collaboration with industry leaders, academics, and technical experts as part of a broader effort to improve cyber resilience in the UK. The code is split into four key principles setting out measures that software vendors should implement to protect their products and services from cyber threats and ensure the stability of digital supply chains: secure design and development, build environment security, secure deployment and maintenance, and communication with customers.

Consultation Findings

The feedback highlighted several key themes:

1. Strong support for the code: There was overwhelming support for the creation of a code of practice for software vendors, with 73% of respondents indicating that they would be likely or very likely to use such a code to inform procurement.
2. Support for the code's principles and provisions: The proposed principles and provisions of the code received broad support. Respondents generally preferred that these provisions be included as mandatory requirements rather than recommendations.
3. Implementation guidance: There was a clear demand for more detailed implementation guidance to help organisations comply with the code. Some respondents expressed concerns about the cost of compliance, with 10% of respondents suggesting that the code of practice would be too expensive to incorporate into procurement processes.
4. Alignment with existing standards: Stakeholders emphasised the importance of aligning the code with existing standards, regulations, and international approaches to avoid unnecessary duplication and ensure consistency (eg NIS, DORA)
5. Assurance and certification: There was significant interest (71%) in an assurance or certification scheme to help organisations demonstrate compliance with the code and to facilitate supplier assessment and management processes.
6. Clarity of language: Respondents requested clearer definitions and more precise language in the code to ensure it is accessible and actionable for senior leaders in software vendor organisations.

Next steps

The government has outlined several next steps:

1. Revisions to the code: The government will make "minor revisions" to the code to address the feedback. This includes reassessing provisions that were more contentious and ensuring the code is feasible for organisations of all sizes.
2. Implementation guidance: The NCSC and DSIT will develop revised technical controls and implementation guidance to accompany the code. This will provide detailed support to help organisations identify the best implementation options based on their needs and ensure compliance with the code's provisions.
3. Assurance regime: The government will design an assurance regime for the code to help software vendors demonstrate compliance. This regime will follow the NCSC's Principles-Based Assurance Approach and be compatible with future technology security assurance regimes.
4. Alignment with standards: The government will map the code against existing standards, regulations, and guidance, including international approaches. This will include exploring the potential for demonstrating equivalence between existing standards and the code's provisions.

Conclusion

The government's response marks a significant step towards improving software security and resilience in the UK. The strong support for the code and the constructive feedback from stakeholders highlight the importance of this initiative. By making minor revisions to the code, developing detailed implementation guidance, and designing an assurance regime, the government aims to drive the adoption of best practices in software development and distribution. The Code is welcome, but is it enough?