The UK government on Wednesday is moving to codify “secure-by-default” expectations for software makers with the rollout of a voluntary Software Security Code of Practice that sets a market baseline for how vendors build, ship and maintain business software.
The framework, co-authored by the National Cyber Security Centre (NCSC) and the Department for Science, Innovation and Technology, lays down 14 baseline principles covering everything from secure design and build-environment hardening to security patch cadence and vendor-to-customer transparency.
British policymakers say software vendors can self-assess against the code immediately, while officials develop a certification scheme designed to give buyers an independent stamp of assurance.
The initiative tackles what the NCSC calls a structural market failure where core safeguards like multi-factor authentication still ship as premium add-ons, and small development teams often lack both the budget and expertise to bake security into default settings.
By baking minimum expectations into procurement conversations, the UK government is hoping to steer even small software firms toward “secure-by-design and default” practices without immediately imposing regulation.
The approach mirrors the US government’s oft-criticized Secure by Design pledge, a seven-point commitment signed by more than 250 American tech companies. That pledge, managed by CISA, is likewise voluntary with no federal mechanism to penalize recalcitrant vendors.
If history is a guide, the UK government’s Code of Practice could mature into mandatory rules. Back in 2018, a voluntary code for consumer-IoT security eventually spawned the Product Security and Telecommunications Infrastructure Act, which makes it illegal to sell smart devices with universal default passwords and weak disclosure channels in the UK.
For now, the bet is that clear guidance, procurement pressure and a forthcoming certification badge will nudge vendors toward the 14 principles that range from SBOM tracking and secure build pipelines to one-year end-of-support notices.
In practical terms, that means software suppliers courting UK business will soon face pointed questions about SBOM accuracy, build-pipeline logs and how quickly security updates ship.
“The principles that form the Code of Practice are relevant to any type of software supplied to business customers,” the NCSC said in a statement. “[It] is designed to be complementary to relevant international approaches and existing standards in this space to limit the compliance burden for organisations operating across borders.”
The new initiative comes on the heels of a call by JPMorgan Chase security chief Pat Opet for software vendors to prioritize security over features as a matter of urgency.
“Fierce competition among software providers has driven prioritization of rapid feature development over robust security. This often results in rushed product releases without comprehensive security built in or enabled by default, creating repeated opportunities for attackers to exploit weaknesses,” Opet warned.
“The pursuit of market share at the expense of security exposes entire customer ecosystems to significant risk and will result in an unsustainable situation for the economic system,” he added.
Related: CISA Introduces Secure-by-Design Development Principles
Related: Phil Venables: ‘I’m short-term pessimistic, long-term optimistic’
Related: CISA Debuts ‘Secure by Design’ Alert Series
Related: Google Cites ‘Monoculture’ Risks in Response to Microsoft CSRB Report
Related: Microsoft Overhauls Cybersecurity Strategy After Scathing CSRB Report