DSIT publishes new Software Security Code of Practice

Published
5/13/2025

The government has published a new voluntary guide to improve the security and resilience of software used by businesses and organisations.

Published by the Department for Science, Innovation and Technology (DSIT) at Cyber UK, the Code is intended to support software vendors and their customers reduce the risks and impact of cyber-attacks on software supply chain, while also improving general software resilience.

The Code has been co-sealed by the Canadian Centre for Cyber Security and developed in collaboration with the National Cyber Security Centre (NCSC), industry and academic experts, the Code also forms part of the government’s broader cyber security agenda. It will complement initiatives like the recently published Cyber Governance Code of Practice and the AI Cyber Security and Apps and App Stores CoP.

The Code includes 14 principles across 4 themes:

  1. Secure design and development
    1. Follow an established secure development framework.
    2. Understand the composition of the software and assess risks linked to the ingestion and maintenance of third-party components throughout the development lifecycle.
    3. Have a clear process for testing software and software updates before distribution.
    4. Follow secure by design and secure by default principles throughout the development lifecycle of the software.
  2. Build environment security
    1. Protect the build environment against unauthorised access.
    2. Control and log changes to the build environment.
  3. Secure deployment and maintenance
    1. Distribute software securely to customers.
    2. Implement and publish an effective vulnerability disclosure process.
    3. Have processes and documentation in place for proactively detecting, prioritising and managing vulnerabilities in software components.
    4. Report vulnerabilities to relevant parties where appropriate.
    5. Provide timely security updates, patches and notifications to customers.
  4. Communication with customers
    1. Provide information to the customer specifying the level of support and maintenance provided for the software being sold.
    2. Provides at least 1 year’s notice to customers of when the software will no longer be supported or maintained by the vendor.
    3. Make information available to customers about notable incidents that may cause significant impact to customer organisations.

You can access the voluntary Software Security Code of Practice and the accompanying NCSC/DSIT blog on software security and the NCSC pages on the Code.

You can access the government’s response to the Call for Views on the Software Vendors Code of Practice here.

Click here to read the Code