GOV.UK logo and Code of Practice for Software Vendors: call for views

Bringing an SME perspective to government’s Code of Practice for Software Vendors

Rob Smart

Standfirst: The government consulted industry experts to develop its draft Code of Practice for Software Vendors. One of those invited to contribute was Zaizi’s solutions architect Rob Smart, who provided insights from the perspective of an SME.

As specialists in creating secure products and services for government organisations, we were honoured to be part of the collaborative process that shaped the UK government’s draft Code of Practice for Software Vendors. 

I joined security representatives from major tech companies like Splunk, Oracle, and IBM, as well as independent experts to thrash out some of the detail. We provided input through a series of workshops set up by the Department for Science, Innovation and Technology (DSIT).

The government now wants views on this voluntary Code of Practice, which aims to make software security a core part of how vendors develop and distribute products and services. 

The code sets out high-level principles and specific guidance to raise the bar for security practices across the industry. A key goal is to mitigate supply chain attacks, such as the recent data breach involving the MOVEit file transfer application that affected many organisations.

Our Involvement 

One of our clients invited Zaizi to contribute to the code. Over a few months, I took part in eight workshops that focused on reviewing, drafting, and refining the wording of the draft code.

In smaller breakout groups, we worked on suggesting changes and improvements, which the wider group discussed and incorporated into the draft. 

Over 12 weeks, each 4-hour workshop built upon the progress made in previous sessions, allowing for iterative refinement and group discussions.

This collaborative process meant that, as SMEs, we had the same input and influence as the more prominent vendors. Smaller vendors face different challenges compared to their larger rivals. For example, they may not have dedicated security specialists. 

Our involvement meant we could convey the sentiment of the smaller organisations so that the guidance was relevant for organisations of all sizes.

DOWNLOAD REPORT: Avoiding the policy-delivery gap: Digital government is hard, so what can we do to succeed?

What’s next?

With the draft code now open for public consultation, the government wants broader input from the industry to help identify gaps or areas of concern before it’s finalised. 

I urge government organisations and suppliers to review the draft and provide input. Your contribution will help shape this crucial initiative to enhance software security practices nationwide.

Establishing clear guidelines and promoting robust development practices will help establish a baseline of competence for vendors and reduce vulnerabilities that could be exploited by malicious actors.

We believe in the importance of secure-by-design principles for software development. Get in touch with me if you’d like to learn more about our expertise in this area or discuss how we can support your organisation’s secure development efforts. 

Thanks for joining us! We’ll keep you informed with regular updates.

Sign up to our newsletter

Consent(Required)
This field is for validation purposes and should be left unchanged.