Developers urged to prioritize software security, as per NCSC's directive

Developers urged to prioritize software security, as per NCSC's directive

Straight Up: NCSC's New Software Security Code

The National Cyber Security Centre's (NCSC) latest Software Security Code of Practice is pushing software developers to beef up their secure-by-design practices, according to a prominent cybersecurity exec.

James Neilson, OPSWAT's SVP International, sees the new rules as a significant step in encouraging organizations to produce more secure software solutions. He said, "This move is ace! It's not just a list of boxes to check; it's a genuine call to take end-to-end security seriously. A software supply chain is only as strong as its weakest link, after all."

The new code of practice stems from a review conducted by the NCSC last year, which claimed that technology markets don't incentivize organizations to develop software that's "secure by default." In a blog post, the NCSC expressed that organizations will prioritize growth and profit over their products' security and resilience, leading to insecure software.

While the code is voluntary, the NCSC still expects software developers and suppliers to adhere to a minimum set of standards to ensure their products are resilient to growing security threats. They call this the "market baseline."

The 4 Main Themes

The code consists of 14 core principles split across four key themes, according to the NCSC:

1. Secure Design and Development: A focus on following an established secure development framework and understanding third-party component risks[1][4].
2. Build Environment Security: Protecting the build environment from unauthorized access[4].
3. Secure Deployment and Maintenance: Having processes in place for vulnerability management, providing timely security updates, and good communication with customers[4][5].
4. Communication with Customers: Clearly defining the level of support and maintenance provided for the software, as well as disclosing incident information[4][5].

A significant emphasis has been placed on the "secure design and development" theme, which primarily applies to software vendors. It encourages following a secure development framework and assessing risks linked to third-party components throughout the development lifecycle[2].

Open Source Development

Notably, the NCSC stated that open source developers and maintainers are not the primary audience for the new code of practice. The code mainly aims to outline the responsibilities of software vendors in the context of business-to-business commercial relationships[3].

Open source developers and maintainers bear no formal commitment regarding the security of their supply chain or the maintenance of their code. The responsibility for managing open source code risks rests on the end-user or proprietary developer using this in their software[3].

Regardless, Neilson notes that the new code of practice will prompt organizations to consider the potential risks associated with open source code, further bolstering broader supply chain security[3].

Breaking Down the 14 Principles

While the search results do not list all 14 principles, they emphasize the importance of securing software across its lifecycle, from design to deployment and communication with customers. The principles aim to mitigate cyber risks and ensure software resilience throughout its lifecycle[1][3].

Voluntary Compliance and Certification

Compliance with the Code is voluntary, but it provides a robust framework for software vendors to demonstrate their commitment to security. Customers can require self-assessment or independent audits against the Code's principles to guarantee vendor compliance[5].

A certification scheme is also being developed based on these principles, which could further enhance the credibility of compliant vendors[5].

Don't be a slacker, shore up your software security!

(Hint: Read the details in the NCSC's Software Security Code of Practice.)

1. The National Cyber Security Centre's (NCSC) Software Security Code of Practice emphasizes the importance of secure design and development for software vendors, following established secure development frameworks and understanding third-party component risks.
2. In the finance sector, the NCSC's new code of practice could lead to more secure software solutions, which is a significant step in reinforcing the security of general news, business, data-and-cloud-computing, and technology industries.
3. The code of practice, while voluntary, plays a key role in policy-and-legislation by encouraging software developers to prioritize end-to-end security and address the issue of technology markets not incentivizing secure-by-default software.
4. While open source developers and maintainers are generally not the primary audience for the new code of practice, it may still prompt organizations to consider potential risks associated with open source code, ultimately increasing overall supply chain security across various industries.

Read also: