Government launches public consultation on software security

Approach lauded as 'open' and 'nuanced' by experts, who hope advice on best practice will follow

The UK government has issued a public consultation on software resilience and security.

"To strengthen the UK's resilience, we must ensure that the digital products and services we use are secure by design, and software is a foundational and critical digital tool on which our economy now relies," writes Julia Lopez, minister of state for media, data and digital infrastructure at DCMS, in the policy paper's foreword.

"But we must also help the organisations involved in the development, distribution, maintenance and use of these products and services manage the risks associated with software."

Lopez offers the examples of SolarWinds, where Russian hackers gained access to numerous government departments and corporations via an introduced flaw in the popular networking software, and Log4J, a component used in hundreds of thousands of applications that was found to be vulnerable, as examples risks posed by insecure software.

The policy document highlights the importance of open source software to innovation and the challenges developers can face to ensure their software is secure, and asks for public views about "where responsibilities should lie" in ensuring code security.

The UK will also need to collaborate closely with international partners, Lopez says, "given that software and our digital environment is global."

The government is inviting all organisations with an interest in software security and digital supply chains to take part in the survey.

Amanda Brock, CEO of not-for-profit OpenUK, said she appreciated the "open" and "nuanced" approach being taken by the DCMS on this issue, as well as the consultation's timely focus on the pressures faced by open source developers.

"OpenUK welcomes this policy paper, which seeks to recognise and build on the open source community's work and contribution whilst respecting the need to improve user understanding of open source software and its curation," she said in a statement emailed to Computing.

"It is critical to the future of open source software, and by implication the cutting edge innovation it creates, to recognise that open source developers and maintainers must not be unduly burdened by regulation, and we are pleased to see this approach being taken."

The consultation paper recognises the fact that "open source software has a different collaborative model," said Brock, and it "calls out the big issues that we all recognise around software supply chains and security, which are not open source but software issues in a digital economy."

Ciaran Luttrell, senior director, SOC operations EMEA, at security vendor eSentire, said he hoped the consultation would lead to an effort to codify best practice for organisations to improve their security, including through vulnerability management and more effective threat detection.

"This would help shift the paradigm to a more proactive incident response process, with the net benefit of helping companies prepare for any impact from a cyber incident," he said.

"This is the digital equivalent of health and safety for businesses, and so it should be encouraged as much as possible."

A similar hope was voiced by Matt Middleton-Leal, managing director EMEA North at security vendor Qualys.

"In some respects, IT security still needs to put effective best practices in place to get the basics right, from having accurate and maintained asset inventories in place through to vulnerability management and web application security checks and fast, timely patching. These are some of the most necessary steps that can protect companies of all sizes against attack, but they still get missed or overlooked due to the pressure of keeping up."

He added: "It will be interesting to look at any recommendations that come from this work - for example, how to combine the IT skills around implementing the right processes, technology and people alongside risk management using cyber insurance. Getting this balance together can help organisations be better at proactively protecting their systems and preparing for any potential incident."

The consultation will run until Monday 1st May.

In May 2021, in response to the SolarWinds, Microsoft Exchange and Kaseya supply chain attacks, Joe Biden issued an executive order (EO) on software security which included standards that vendors must meet if their software is to be used by federal agencies. These include a requirement for a software bill of materials (SBOM) to track components and a zero trust approach to architecture.

The EO was seen by security experts as an important, if belated, turning point in the US government's attitude to cybersecurity and its recognition of the complex, interconnected and globalised nature of the software supply chain, in which the provenance and quality of components is not always clear.