UK Launches New Cybersecurity Assessment Initiatives

Posted on by Admin
UK Launches New Cybersecurity Assessment Initiatives

Related Post


The UK has announced a series of new cybersecurity assessment schemes in a bid to push secure by design principles.

Unveiled at the CYBERUK 2025 conference, the new initiatives are designed to enable firms to demonstrate their cyber resiliency, and boost confidence in the products and services used by organizations.

The first scheme is the Cyber Resilience Test Facilities (CTFR) program. This will develop a network of assured facilities that can independently audit the cybersecurity of technology vendors’ products in a consistent and structured way.

These assessments can be carried out by public and private sector organizations, including the UK governments.

CTRF is designed to shift away from traditional, compliance-based schemes to a principles-based approach.

In addition, the National Cyber Security Center (NCSC) will launch a new scheme for Cyber Adversary Simulation (CyAS) in early Summer 2025.

Companies assured under CyAS will deliver services to test an organization’s cyber resilience, including their ability to prevent, detect and respond to simulated cyber-attacks.

Organizations participating in the schemes will receive a report outlining the results of the assessment and the areas that need remediation.

Those that meet the required security standard will be awarded an NCSC assured logo, which can be used for marketing purposes.

During CYBERUK, Jonathan Ellison, NCSC Director for National Resilience, said that as well as providing reassurance for users of digital products and services, the schemes are designed to help create consumer pressure for secure by design practices.

“I think the demand side as well as the supply side is really important when it comes to secure technologies,” Ellison explained.

Government Publishes Software Security Code of Practice

The UK government also published a new Software Security Code of Practice during CYBERUK.

This guide sets out essential steps every organization developing or selling software should be taking to secure their products. 

The voluntary code consists of 14 principles that software vendors are expected to implement to establish a consistent baseline of software security and resilience across the market.

These principles include:

  • Having a clear process for testing software and software updates before distribution
  • Minimizing the risk of build environments being compromised to protect the integrity and quality of the software
  • Implementing and publishing an effective vulnerability disclosure process
  • Providing timely security updates, patches and notifications to customers
  • Providing information to the customer specifying the level of support and maintenance provided for the software being sold

Commenting on the announcement, James Neilson, SVP International at OPSWAT, welcomed the new code, saying it sends a signal to software developers to get serious about end-to-end security and sharpening their focus on security by design.

“Software developers often use third-party components, including open-source software, to speed up development and add features. However, these may contain known or newly discovered vulnerabilities, or even ones introduced maliciously,” Neilson commented.

He added: “By securing their software supply chains – scanning for hidden threats, validating SBOMs, securing build environments, and ensuring that what is delivered is exactly what was intended – vendors can build greater resilience and trust into their software.”



Source link

Leave a Comment