The government has responded to last Spring's call for views on software resilience and security for businesses and organisations which sought views on: the range of risks linked to software; what was already being done to manage the associated risks; and what further action government would be most effective at taking to drive improvements.
The response sets out a package of policy interventions that the government intends to take forward in the coming months and years. These interventions will empower organisations who develop, sell and buy software to better understand their responsibilities and take action to reduce risk, thereby improving standards of software security throughout our supply chains.
Key themes from the call for views
Feedback gathered from stakeholders throughout the call for views process focused on the following themes, which outline different core risks and opportunities:
- Secure software development is key to strengthening the UK's organisational resilience.
- Improved management of free and open source software could help protect organisations while still ensuring they benefit from its innovation and efficiency; and there is a role for government to support a focus on security within the open source community.
- More transparency is required across the software supply chain.
- There is a need to strengthen accountability in the software supply chain.
- Government must play a collaborative role.
3 key areas of priority moving forward
In its response, government identifies three key areas of priority to help improve software security practices and protect the security and resilience of organisations across the UK, which reflect the key themes heard in the call for views:
- Setting clear expectations for software vendors - secure and consistent standards are needed for companies which create and sell software.
How will government address this?
- Develop a Code of Practice for Software Vendors - this will set the clear baseline expectations for software security which will mitigate risks from development to distributions and communication of vulnerabilities and incidents. The Code of Practice will be voluntary, but government is not ruling out the possibility of legislative backing if industry uptake is insufficient.
- To help software vendors meet the expectations set out in the Code of Practice, government will work with the UK Cyber Security Council to professionalise secure software development; the NCSC is exploring expansion of their certification programme for university degrees to include an additional standard for software security; and government is exploring the possibility of providing additional support to industry-led software security initiatives.
- Strengthening accountability in the software supply chain - the purchasers of software need to have effective security practices and mechanisms to hold software vendors accountable through contractual requirements.
How will government address this?
- Government will help software customers to hold their suppliers to account by 1) developing cyber security training aimed at UK procurement professionals, to help ensure organisations are using their buying power to drive improved practices in the software market; 2) creating standardised procurement clauses; 3) working with the NCSC to publish content on the use of Software Bills of Materials to help customers understand how these could be used to assess security of suppliers.
- Further to publishing the Code of Practice, government will also explore whether accreditation could be a useful means of enabling customers to more easily hold their suppliers to account.
- Protecting high risk users and addressing systemic risks - public sector software development and use is a particular priority in terms of its higher risk context. It is also important that government leads by example in its own practices in order to support the improvements that our proposed interventions seek to drive across all sectors. Of particular importance will be assessing and improving the resilience of free and open source software which is vital to protecting technologies developed for use in both public and private sector contexts.
How will government address this?
- The Code of Practice for Software Vendors will take clear steps to promote secure development processes in all contexts of software development, by requiring software vendors to take appropriate steps to test any third-party components that they incorporate or use. Government can drive good practice across the economy by leading by example and leveraging its buying power.
- In order to support the safe use of software in critical contexts (whether purchased or developed in-house), government will 1) explore the creation of minimum security requirements for organisations supplying software to government; 2) work with industry to incorporate best practice into government and identify which innovative solutions to free and open source risk management from the private sector could be implemented within government; and 3) explore the development of a government initiative to assess and improve the resilience of free and open source software used in high risk contexts.
techUK very much looks forward to engaging with government on the proposed Code of Practice for Software Vendors and supporting interventions.
You can read the full response to government's call for views on software resilience and security here.