This May, the UK government and National Cyber Security Centre (NCSC) introduced the Software Security Code of Practice, a timely and commendable initiative aimed at strengthening the security of software that underpins the UK’s digital infrastructure. Grounded in a “secure by design” philosophy, this code encourages software producers to embed security at every stage of the development lifecycle. This approach has long been championed by those of us working to advance cyber resilience across the industry.
Understanding the Code’s Ambition
This code of practice outlines 14 principles encompassing secure design, development, build environment security and safe deployment and maintenance practices. Its core objective is to elevate the baseline of software security practices and address systemic risks, including those introduced through the supply chain.
Crucially, the code is not prescriptive or mandatory; it is a voluntary framework. This signals both an opportunity and a challenge. While its flexibility allows innovation to flourish, it also places the onus on organizations to proactively engage and lead.
Voluntary Adoption: A Strategic Imperative
The voluntary nature of the Software Security Code of Practice invites varying levels of commitment. Some may take a cautious, compliance-light approach. Others will see it as a moment to lead and move beyond the checklist and embrace a posture of provable, continuous security improvement.
Organizations that take this latter path recognize the reputational, operational and strategic value of resilience. They are not merely responding to policy but are actively investing in trust. They understand that effective leadership in cybersecurity today requires demonstrable readiness, not just adherence to static frameworks.
Still, if too many choose to delay or disengage, the wider ecosystem could remain vulnerable. In that context, the code becomes less a destination and more a springboard, serving as an invitation to build on its foundation and cultivate enduring resilience.
What Provable Resilience Really Requires
The Software Security Code of Practice provides a strong start, but it alone won’t shield against determined, well-resourced adversaries. Cyber threats evolve too rapidly for static compliance to be sufficient. To meet the real-world complexity of software security, organizations must adopt a broader and more continuous approach, centered on four principles:
- Continuous Validation and Feedback: It’s not enough to ask, “Are we compliant?” The better question is, “How do we know we’re secure?” This demands continuous testing and validation of both technical systems and human behaviors, not as a one-off but as an always-on activity.
- People-First Security Culture: Tools matter, but people remain the frontline of defense. It is essential to build a security-minded culture and equip everyone—from developers to leadership—with practical skills and readiness to be able to quickly make critical decisions during a crisis.
- Experiential, Realistic Training: Theoretical understanding falters under pressure. Teams need practical, scenario-based training and drilling that reflects the speed and chaos of real incidents, from individual hands-on labs to full-scale crisis simulations. This builds real capability, not just credentials.
- Measurable Readiness and Improvement: Stakeholders want evidence. Boards, customers and regulators alike are asking not just whether security controls exist, but whether they’re working. Metrics that track skill development, readiness and the ability to respond effectively in a crisis are becoming essential.
A Collective Call to Action
The Software Security Code of Practice represents a meaningful step forward. It signals a recognition that software must be built with resilience in mind from day one. But the organizations best positioned for the future will use the code not as an endpoint, but as a launching pad for a broader, provable strategy of secure software development.
The stakes are too high for a wait-and-see approach. Cyber resilience is no longer an aspirational goal — it’s a prerequisite for operating in today’s digital environment. As software becomes more foundational to our society, the ability to demonstrate resilience will become a key differentiator, not only in terms of security posture but also in trust, reputation and long-term viability.
Are We Ready to Go Beyond the Baseline?
We now have a shared framework to build from. The next step is collaboration between government, industry and practitioners to ensure that secure-by-design isn’t a box-ticking exercise, but a lived reality.
The challenge ahead is clear: Let’s not settle for minimum viable security. Let’s aim for resilient, trustworthy and demonstrably secure software that stands up to the threats of today and tomorrow.