The Canadian Centre for Cyber Security (Cyber Centre) has joined the United Kingdom's National Cyber Security Centre (NCSC-UK) and Department for Science, Innovation and Technology (DSIT) in releasing a software security code of practice and accompanying guidance for software vendors.
Software supply chain attacks and other software resilience incidents can be caused by weaknesses in software development and maintenance practices. This joint guidance aims to improve the security and resilience of software that organizations rely on.
The joint guidance includes the 3 publications below.
Software security code of practice
The Software security code of practice outlines 14 principles that software vendors should implement to establish a consistent baseline of software security and resilience. These 14 principles are divided across 4 themes, which include:
- secure design and development
- build environment security
- secure deployment and maintenance
- communication with customers
Read the Software security code of practice.
Software security code of practice: Implementation guidance
The Software security code of practice: Implementation guidance helps organizations that develop and/or sell software understand how they can meet the principles in the Software security code of practice.
Read the Software security code of practice: Implementation guidance.
Software security code of practice: Assurance principles and claims
The Software security code of practice: Assurance principles and claims guidance helps vendors measure how well they are meeting the themes and principles of the Software security code of practice and suggests remedial actions should they fall short.
Read the Software security code of practice: Assurance principles and claims.