Leading high-street banks and technology firms are among those signing up to champion secure software development.
The UK Government has rallied together the biggest businesses operating in Britain to drive secure software development across critical industries and strengthen the nation’s cyber resilience.
Thirteen major firms have signed up to the Software Security Ambassadors Scheme, including leading banks like Lloyds Banking Group and Santander, as well as tech giants Cisco, Sage, and Palo Alto Networks.
Working with DSIT and the National Cyber Security Centre as part of a wider £210 million push to strengthen cyber resilience, these industry partners will champion the government’s Software Security Code of Practice, demonstrating practical implementation and providing feedback from their sectors.
Designed to make the software that UK organisations and businesses rely on resilient to attack, the voluntary Code of Practice outlines steps that software vendors and their customers should take to secure and maintain essential services, and encourages better communication between businesses and their software suppliers.
Government figures show that software weaknesses can cause severe disruption to supply chains and to services the public uses every day, with more than half (59%) of organisations experiencing software supply chain attacks in the past year.
Acting as ambassadors, the businesses signing on to the software security scheme, which also includes Accenture, ISACA, NCC Group, and ISC2, have committed to implementing the code and sharing “their real-world success stories and use cases”.
“By acting as ambassadors, signatories are committing to a process of transparency, development and continuous improvement,” the government’s policy paper states.
“The implementation of this code of practice will take time and, in doing so, may bring to light issues that need to be addressed. Signatories and policymakers will learn from these issues as well as the successes and challenges for each organisation and, where appropriate, will share information to help develop and strengthen this government policy.”
As part of the public commitment to the scheme, the signatories will have to promote the Software Security Code of Practice across their web presence, including social media channels, and provide feedback on incidents to the government.
While software buyers also agree to incorporate the Code into procurement policies and procedures, it is software suppliers that bear the brunt of the responsibility, agreeing to publish self-assessments and third-party verifications to demonstrate compliance, and put in place measures for workers to gain expertise in secure software development.
“Companies that develop and sell software should embed security into their practices at all stages of the software lifecycle…and should be transparent in the communication of risk and incident management to customers,” the agreement reads.
