In May 2025, the UK Government introduced the Software Security Code of Practice (the Code) to help software vendors and their clients to reduce risks associated with software supply chain attacks and other digital threats. These threats often arise from avoidable weaknesses in software development and maintenance. By adopting the Code’s principles, organisations can strengthen the foundations of the digital technologies and services that underpin their operations.
In this blog post, we explore the key elements of the Code, its intended purpose, what it means for software vendors and their customers and how organisations can use it to improve their software security practices.
Purpose and scope
The Code is voluntary which means that it serves as best-practice guidance rather than a binding legal requirement.
The Government has identified 14 core principles that should be reasonably expected from organisations (software vendors) of any type, size or sector that develop or sell (or both) software or software services to businesses. This includes suppliers of standalone software, software services or goods and services that contain embedded software. The software (or software component) in question may be of any kind.
That said, the Code is the most relevant to the sale and distribution of proprietary software in business to business (B2B) commercial relationships.
Who does the Code apply to?
The Code is primarily directed at senior leaders within software vendor organisations. Senior leaders are individuals at the top of the organisation’s hierarchy who hold an executive or upper management function – depending on specific circumstances, a senior leader can be a CEO, President, Director or a Head of Department.
The Code suggests that a Senior Responsible Owner (SRO) is appointed who ensures the principles are implemented effectively across teams within their organisations. The SRO must also ensure that staff have the right skills and resources, including both formal qualifications and on-the-job training.
The principles are also relevant to individuals involved in designing, developing and maintaining software and those responsible for customer communication.
In addition, organisations that procure software can use the Code to guide their discussions and negotiations with suppliers, helping shape contractual terms and expectations.
14 principles of the Code
The UK Government has outlined 14 principles that are grouped into 4 main categories.
These principles are supported by the implementation guidance designed to help software vendors achieve the Code’s intended outcomes. This guidance is aimed at specialist teams or individuals responsible for carrying out the work to meet the objectives of the Code.
1. Secure design and development
Follow secure-by-design and secure-by-default principles at every stage of the software development lifecycle
Adopt a secure development framework
Understand the software’s composition and assess risks associated with third-party components throughout the development lifecycle (third-party components can be open source or owned or licensed by third parties)
Test software and software updates before release
2. Build environment security
Build environment is where software is compiled, built and packaged ready for release.
- Protect the build environment from unauthorised access
- Control and log any changes made within the build environment
3. Secure deployment and maintenance
- Use secure distribution channels
- Establish and publish an effective vulnerability disclosure process to allow individuals to safely and accessibly report vulnerabilities to the organisation
- Maintain documented processes for proactively identifying, prioritising and managing vulnerabilities in software components
- Report vulnerabilities to relevant stakeholders (where appropriate)
- Provide customers with timely security updates, patches and relevant notifications
4. Communication with customers
- Clearly communicate the level of support and maintenance provided for the software
- Give customers advance notice (at least 12 months) before ending support or maintenance for the software
- Make information available to customers about any notable incidents that may significantly impact their organisations
To support adoption of these principles, the UK Government has published a self-assessment form that can be used for internal compliance monitoring. The Government is currently preparing a certification scheme based on this compliance process.
Comment
While the introduction of the Code is a welcome step forward, its voluntary nature means its impact will rely on how readily organisations choose to implement its principles.
Nevertheless, it provides a clear, practical framework for improving software security and strengthening resilience against supply chain threats.
By following the Code, software vendors can show their commitment to secure development and transparent communication with customers. At the same time, the software buyers can use the Code to push for stronger standards when procuring software. As cyber threats continue to evolve, aligning with best-practice guidance like this Code can help organisations to stay one step ahead and build trust in their digital products and services.
As Chris Anley, member of the UK Government’s Software Vendor Code of Practice Co-design Group said:“Cyber security is no longer a nice-to-have, it is a necessity. But not everyone has the equipment to know where to start. Having a minimum set of expectations enables organisations to prevent vulnerabilities. When combined with robust legal frameworks, guidelines like the Code will put organisations in the right place to build water-tight security systems.”
If you would like advice on how the Code could apply to your business or how to reflect its principles in your operations or contracts, please get in touch with Neil Williamson, Colin Lambertus or contact us here.
