A draft voluntary code of practice for software vendors proposed by the British government has received positive feedback from industry stakeholders, who believe that adopting voluntary best practices could enhance cyber defenses across the country. The U.K. Department for Science, Innovation, and Technology introduced a 21-step framework in August 2024 that focuses on securing the software supply chain. The government sought input from various industry players through a consultation process to gauge the potential impact of the proposed measures.
The department recently analyzed the responses received from the industry and found that 81% of the respondents welcomed the government’s guidance on software security. The feedback indicated a strong endorsement for the Code of Practice for Software Vendors, with a majority of participants agreeing that such guidelines would help software vendors understand the standards for cybersecurity expected from their products.
One of the key objectives of the code of practice is to address the lack of clarity among software vendors regarding the minimum security requirements for their products. The proposed guidelines recommend thorough testing of software products before deployment, implementation of multifactor authentication for developers, and prompt reporting and patching of vulnerabilities.
Simon Phillips, the CTO of SecureAck, emphasized the importance of holding software vendors accountable for their security shortcomings to drive meaningful improvements in the industry. He raised concerns about the voluntary nature of the guidelines potentially leading to a checklist-based compliance approach. However, there are indications that the U.K. government may consider making these practices mandatory through the proposed Cyber Security and Resilience Bill, which aims to enhance national cybersecurity defenses.
Feryal Clark, the Parliamentary Under-Secretary of State at the Department for Science, Innovation, and Technology, expressed confidence in the upcoming Cyber Security and Resilience Bill’s ability to strengthen the country’s cybersecurity posture. She highlighted the government’s commitment to collaborating with industry stakeholders, public sector organizations, and regulators to ensure compliance with the new obligations outlined in the proposed legislation.
Overall, the British tech industry’s support for the government’s initiative on software security underscores the collective effort to bolster cyber defenses and raise the standards for secure software development practices. As discussions around mandatory compliance measures gain momentum, it is evident that a proactive approach to cybersecurity is crucial in safeguarding critical digital infrastructure and services in the U.K.