Joint guidance on software security code of practice

The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. (Cyber Centre) has joined the United Kingdom's National Cyber Security Centre (NCSC-UK) and Department for Science, Innovation and Technology (DSIT) in releasing a software security code of practice and accompanying guidance for software vendors.

Software supply chain attacks and other software resilience incidents can be caused by weaknesses in software development and maintenance practices. This joint guidance aims to improve the security and resilience of software that organizations rely on.

The joint guidance includes the 3 publications below.

Software security code of practice

The Software security code of practice outlines 14 principles that software vendors should implement to establish a consistent baseline of software security and resilience. These 14 principles are divided across 4 themes, which include:

  • secure design and development
  • build environment security
  • secure deployment and maintenance
  • communication with customers

Read the Software security code of practice.

Software security code of practice: Implementation guidance

The Software security code of practice: Implementation guidance helps organizations that develop and/or sell software understand how they can meet the principles in the Software security code of practice.

Read the Software security code of practice: Implementation guidance.

Software security code of practice: Assurance principles and claims

The Software security code of practice: Assurance principles and claims guidance helps vendors measure how well they are meeting the themes and principles of the Software security code of practice and suggests remedial actions should they fall short.

Read the Software security code of practice: Assurance principles and claims.

Date modified: