Developers should take software security more seriously according to the NCSC (National Cyber Security Center)
The National Cyber Security Centre (NCSC) has introduced a new Software Security Code of Practice, aiming to set out the responsibilities of software vendors in business-to-business commercial relationships and encourage proactive, layered, and ongoing security measures throughout the software lifecycle.
James Neilson, SVP International at OPSWAT, believes the new rules will encourage organizations to build more secure software solutions. He noted that the new code of practice will prompt organizations to consider potential risks associated with open source software, bolstering broader supply chain security.
The new code of practice contains 14 core principles, split across four themes: secure design and development, build environment security, secure deployment and maintenance, and communication with customers. While the exact principles have not been detailed, some core principles can be inferred from related UK government codes and standards.
These principles include threat modelling and secure requirements, least privilege, compartmentalisation, interface restriction, minimal distribution, risk assessment and controls, and protection of sensitive data. The 'secure design and development' theme particularly applies to software vendors and encourages them to follow an established secure development framework.
The new code of practice is most relevant to the sale and distribution of proprietary software. However, it is important to note that open source developers and maintainers bear no formal commitment regarding the security of their supply chain or the maintenance of their code.
By securing their software supply chains, vendors can build greater resilience and trust into their software. Organizations adhering to the code will be required to appoint a 'Senior Responsible Owner' who will hold a senior leadership role and ensure the principles of the code are met.
Vendors are expected to publish an "effective vulnerability disclosure process" to inform customers about security risks. The Senior Responsible Owner will also be required to assess the risks associated with software developed at their respective organization.
The NCSC's review found that technology markets do not incentivize organizations to develop software that is "secure by default". The new code of practice is a call for developers to prioritize secure by design practices.
The new code of practice is designed to strengthen supply chain security in several ways. It sets clear expectations, informs procurement decisions, drives security upstream, reduces attack surface, and enhances transparency and accountability. Ultimately, the Code of Practice aims to foster a culture of security within the software supply chain, reducing the likelihood and impact of breaches that could affect multiple organizations downstream.
While currently voluntary, its adoption signals a commitment to robust security practices that benefit all stakeholders in the digital ecosystem.
- The new Software Security Code of Practice introduced by the National Cyber Security Centre (NCSC) is aimed at promoting proactive, secure software solutions within businesses, particularly focusing on vendors.
- James Neilson, SVP International at OPSWAT, thinks this new code will encourage organizations to address potential risks related to open source software to improve overall supply chain security.
- The Code of Practice contains 14 core principles, divided into four themes, including secure design and development, which emphasizes the need for vendors to follow a secure development framework.
- The Code of Practice, while voluntary, signals a commitment to robust security practices in the digital ecosystem, providing clear expectations, influencing procurement decisions, driving security upstream, reducing attack surfaces, and enhancing transparency and accountability to reduce the likelihood of downstream breaches.
){kind=link}