The NCSC wants developers to get serious on software security
The NCSC’s new Software Security Code of Practice is a “clear call to developers” to beef up secure by design practices, according to a senior cybersecurity expert.
James Neilson, SVP International at OPSWAT, said the new rules introduced by the security agency will play a key role in encouraging organizations to build more secure software solutions.
“This new code is a welcome move,” he said. “It isn’t just a checklist — it’s a call to get serious about end-to-end security. A software supply chain is only as strong as its weakest link.”
The new code of practice has been introduced following a review conducted by the agency last year. At the time, the NCSC said technology markets “do not incentivize organizations to develop software that is ‘secure by default’.”
“Understandably, organizations will prioritize growth and profit rather than the security and resilience of their products and services,” the NCSC said in a blog post unveiling the code.
“When the importance of cybersecurity is recognized, we know from research that software developers are not necessarily security experts, and may find it hard to efficiently build software that is secure using tools that are often inaccessible and complicated.”
While the new code of practice is voluntary, the NCSC nonetheless believes it will provide a clear “market baseline” for software security. What this means is that software developers and suppliers are now expected to adhere to a minimum set of standards to ensure products are resilient to growing security threats.
What the Software Security Code of Practice covers
The new code of practice contains 14 core principles, split across four themes, according to the NCSC. Organizations adhering to the code will be required to appoint a ‘Senior Responsible Owner’, who will hold a senior leadership role, to ensure these principles are met.
The four key themes outlined in the code include:
- Secure design and development
- Build environment security
- Secure deployment and maintenance
- Communication with customers
A particular focus has been placed on the ‘secure design and development’ theme, which applies predominantly to software vendors and encourages them to follow an established secure development framework.
The Senior Responsible Owner will also be required to assess the risks associated with software developed at their respective organization, as well as any risks linked to the ingestion and maintenance of third-party components throughout the development lifecycle”.
Elsewhere, the ‘secure deployment and maintenance’ theme seeks to bolster software and application security “throughout its lifetime”.
This requires vendors to distribute software to customers that is secure at the point of sale and to publish an “effective vulnerability disclosure process” to ensure customers are made aware of any security risks.
All told, the agency believes these rules will have a positive downstream effect, improving supply chain security and preventing costly remediation processes for developers.
“The Code provides a framework to help organizations measure their progress, identify improvements, and provide tangible evidence of their commitment to security,” the NCSC said in its blog post.
“It includes practical guidance to make clear to vendors what is required to ‘bake’ cybersecurity into all stages of the development life cycle. Doing this addresses cybersecurity problems at the root cause and prevents costly redesigns later on.”
What about open source software?
Notably, the NCSC said open source developers and maintainers are “not considered the primary audience” with respect to the new code of practice.
“This Code of Practice is most relevant to the sale and distribution of proprietary software as the Code aims to set out the responsibilities of software vendors in the context of business-to-business commercial relationships,” the agency said.
The NCSC added that open source developers and maintainers bear “no formal commitment” with regard to the security of their supply chain or the maintenance of their code.
In other words, responsibility for managing any risks associated with open source code rests on the end-user or proprietary developer using this in their software.
Regardless, Neilson noted that the new code of practice will prompt organizations to consider the potential risks here, which again will ultimately bolster broader supply chain security.
“Software developers often use third-party components, including open source software, to speed up development and add features,” he said. “However, these may contain known or newly discovered vulnerabilities, or even ones introduced maliciously.”
“By securing their software supply chains — scanning for hidden threats, validating SBOMs, securing build environments, and ensuring that what is delivered is exactly what was intended — vendors can build greater resilience and trust into their software.”
MORE FROM ITPRO
Source link
