NCC Group pivotal in the development of new UK Code of Practice for Software Vendors

Today at CYBERUK, the UK government's flagship cyber security event, the Department for Science, Innovation and Technology (DSIT) launched its Code of Practice for Software Vendors, and proposals to ensure the cyber security of AI, inviting industry feedback  with an open call for evidence.

This follows the US Government’s work on improving software security, which includes laying the groundwork for possible legislation to establish liability for cybersecurity vulnerabilities in software products and services.

The voluntary Code of Practice for software vendors was co-designed by DSIT, NCSC and technical and industry experts, including NCC Group, and seeks to strengthen digital supply chains that all sectors of the UK economy rely upon.  It recognises that ‘software is a fundamental building block for digital technologies’ and sets out security and resilience measures across four principles for for organisations that develop or sell software used by businesses and other entities, to protect software integrity and quality; minimise the impact of vulnerabilities; and enable effective risk and incident management. The principles include secure design and development; build environment security; secure deployment and maintenance; and communication with customers.

Linked to the Code of Practice, the UK Government also proposes a two-part intervention for AI cyber security. This includes in the first instance, a voluntary Code of Practice to set baseline security requirements for all AI technologies and different actions to be taken by different stakeholders across the AI supply chain. The Government intends to take this Code into a global standards development organisation for further development, building on the work it undertook on consumer IOT security, and the ETSI EN 303 645 standard.

NCC Group’s Chief Scientist Chris Anley, who recently gave evidence to Parliament on the cyber security implications of large language models, was a member of the of the UK Government’s Software Vendor Code of Practice Co-design Group. Chris comments:

"NCC Group is proud to have contributed to the Software Resilience and Security Code of Practice for Software Vendors. It has been reassuring to see the UK Government’s engagement with technical experts such as ourselves, to make the Code as relevant and meaningful as possible. Insecure software poses significant risks to individuals, businesses, and the wider economy; by providing clear, measurable, and actionable guidance, the code of practice will help reduce those risks.

“It is also worth highlighting that the UK Government’s efforts in this area further support the findings from NCC Group’s Digital Dawn cyber policy report where we noted that political consensus around a whole of society approach to cyber comes with shifting responsibility away from end users onto those most capable of taking action to prevent bad outcomes. Many governments are using levers to embed secure-by-design and secure-by-default practices into the services and products citizens and organisations rely on to participate in digital society.

“We look forward to continuing our engagement with the UK Government’s work, and playing our part in encouraging effective uptake and implementation of the Code and its principles”.