UK Government Unveils Software Security Ambassadors Scheme

The UK government has introduced a new initiative aimed at improving software security across various sectors. The scheme, which involves appointing a cohort of “Software Security Ambassadors,” seeks to enhance the adoption of the Software Security Code of Practice. These ambassadors will promote best practices in software security, share practical implementation examples, and provide feedback to help shape future policies.

Among the initial participants are key organizations such as the Department for Science, Innovation, and Technology (DSIT) and the National Cyber Security Centre (NCSC). Other supporters include notable firms like Accenture, Cisco, ISACA, Lloyds Banking Group, Sage, and Palo Alto Networks.

DSIT emphasized the importance of transparency and continuous improvement in its announcement. “By acting as ambassadors, signatories are committing to a process of transparency, development and continuous improvement,” the department stated. The implementation of the code is expected to highlight potential issues, which will be valuable for both signatories and policymakers as they work to enhance government policy.

Understanding the Software Security Code of Practice

The Software Security Code of Practice was launched by the NCSC in May 2022. It outlines a set of voluntary principles aimed at defining effective software security throughout the software lifecycle. Designed for technology providers and organizations involved in software development, sales, or procurement, the code details best practices for secure design, development, and maintenance.

It also stresses the necessity of open communication with customers regarding potential security risks. The code aligns with internationally recognized standards, including the US Secure Software Development Framework (SSDF) and the EU’s Cyber Resilience Act (CRA).

Addressing Growing Security Concerns

The introduction of this code is a direct response to increasing concerns about software security, particularly in light of recent incidents. In the US, the Secure by Design Pledge was launched by the Cybersecurity and Infrastructure Security Agency (CISA) in 2023, urging software developers to prioritize product security.

According to DSIT, over half of organizations—59%—reported experiencing software supply chain attacks in the past year, underscoring the escalating risks for UK businesses and consumers. A survey conducted by ISC2 further revealed that more than half of respondents identified software vulnerabilities in supplier products as the most disruptive cybersecurity threat to their supply chains.

In response, ISC2 plans to promote the code through educational initiatives and thought leadership. The organization aims to drive awareness and encourage practical implementation throughout the software supply chain, aligning its own practices with the code.

Tara Wisniewski, ISC2’s Executive Vice President for Advocacy and Strategic Engagement, stated, “Promoting secure software practices that strengthen the resilience of systems underpinning the economy, public services, and national infrastructure is central to ISC2’s mission.” She noted that the code elevates software security to a board-level priority, essential for mitigating the impact of growing supply chain attacks.

As the UK government embarks on this new initiative, the hope is that the collective efforts of these ambassadors will lead to strengthened security practices and a more secure digital landscape for all.