The UK is cracking down on software risks with a fresh approach aimed at software vendors. This week, the government unveiled a voluntary Software Security Code of Practice to guide how business software is built, maintained, and sold.
Led by the National Cyber Security Centre (NCSC) and the Department for Science, Innovation and Technology, the code sets clear expectations. It outlines 14 core principles covering everything from secure design and patch delivery to SBOM (Software Bill of Materials) tracking.
Vendors can already start self-assessing against the code. A certification scheme is on the way too. Once launched, it will give buyers an easy way to spot vendors who meet the new security bar.
This move targets a growing problem. Basic security measures like multi-factor authentication (MFA) are often locked behind paywalls. Smaller companies also lack the tools or budget to build secure software from the start. These gaps increase software risks across the board.
The UK’s strategy is simple: use procurement to drive better behavior. If vendors want to sell to UK businesses, they’ll need to meet these minimum standards. That means being ready to answer tough questions about SBOMs, security patches, build logs, and product support timelines.
Although the code is voluntary now, it could evolve. A similar playbook played out in 2018. Back then, the UK introduced a voluntary code for smart device security. That eventually led to a law banning default passwords and weak disclosure practices.
This new push takes cues from the U.S. too. More than 250 American tech companies signed CISA’s Secure by Design pledge. But critics say it lacks enforcement and hasn’t sparked wide change. The UK hopes its procurement-first approach will succeed where others have stalled.
The goal is clear: reduce software risks at the source. The code encourages vendors to ship secure defaults, maintain clear communication with buyers, and deliver timely fixes. Security should no longer be an afterthought or a premium feature.
The NCSC says the code aligns with global standards. That’s important for vendors working across borders. It also ensures compliance won’t become a burden for international companies trying to meet UK rules.
This announcement comes as security leaders raise alarms. JPMorgan Chase’s Chief Security Officer Pat Opet recently warned that racing to add new features has left software dangerously exposed. He urged vendors to put security first and slow down if needed.
Opet believes rushing products to market—without strong protections—creates long-term software risks. It puts entire business ecosystems at risk and threatens the broader economy.
For now, the UK is using guidance and market pressure to shift the tide. But if vendors don’t step up, regulations may not be far behind.
