Why Hexiosec Adopted the UK Software Security Code of Practice

Why Hexiosec Adopted the UK Software Security Code of Practice

In January 2026, the UK government launched the Software Security Ambassador Scheme  - a year-long initiative backed by the Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC). Thirteen organisations signed up as ambassadors. Hexiosec is one of them.

We are the smallest company in that cohort. The other ambassadors include Cisco, Palo Alto Networks, Sage, Santander, Lloyds Banking Group, NCC Group, and Accenture. We are a cybersecurity company of around 25 people, based in Cheltenham, and we build two SaaS products: Hexiosec ASM for external attack surface management, and Hexiosec Transfer for UK-sovereign encrypted file transfer.

That combination - small company, big table - is not accidental. It’s the whole point.

What the Code of Practice is

The Software Security Code of Practice  is a voluntary framework published by DSIT and the NCSC in May 2025. It sets out 14 principles across four themes: secure design and development, build environment security, secure deployment and maintenance, and communication with customers.

It is designed to raise the baseline of software security across the UK market. The emphasis is on practical outcomes: secure-by-design development, protection of build environments, responsible vulnerability management, and clear communication with customers about security posture and lifecycle.

The Code is not a one-off compliance exercise. It is intended to encourage continuous improvement and transparency. That distinction matters. It asks organisations to think about how their security practices are implemented and maintained - not just whether a control exists on paper.

Why we signed up

• First, for our customers. Hexiosec Transfer and ASM handle sensitive data for organisations including UK government departments, financial services firms, and Formula One teams. The security of our own products is not a secondary concern; it is the entire proposition. We engineer solutions that our customers trust and want them to know that our software is as secure as possible.

• Second, for our own resilience. Completing the self-assessment gave us a structured framework to review our development, build, and deployment practices with fresh eyes. We have strong engineering disciplines already - our team is made up of people who spent their careers in UK government and defence intelligence. But even strong practices benefit from being tested against a well-designed external benchmark.

• Third, to prove that SMEs can lead. Too often, rigorous software security is treated as something only large enterprises can achieve. We disagree. Being smaller means security is embedded into everyday engineering decisions, not managed through a parallel governance layer. The Code of Practice gives us a way to evidence that - transparently and against a recognised standard.

Why size is not an excuse

The Ambassador Scheme was designed to include organisations of different sizes, sectors, and maturities. That was deliberate. The Code is meant to be adopted by any organisation that develops or sells software - not just those with dedicated compliance teams and six-figure security budgets.

For Hexiosec, the assessment was completed by our Engineering Team Lead, Lauren Palmer, in September 2025. The process was thorough but manageable. We were able to evidence strong alignment across the majority of the 14 principles, and we identified a small number of areas where we believe our processes and documentation can be strengthened further.

We will share the detail of what we found in a companion article but the main point here is simple: if a 25-person company can complete a meaningful self-assessment against this code of practice, make a small number of improvements to strengthen, and there is no material cost in doing so, then the barrier to adoption for most UK software businesses is very low indeed.

Why this matters for the supply chain

Recent incidents have made the case sharply. Attacks affecting organisations including Jaguar Land Rover, Marks & Spencer, and the pathology provider Synnovis have shown how disruption travels through supply chains. In each case, the impact extended well beyond the organisation initially targeted - reaching customers, partners, and in the Synnovis case, frontline NHS services.

Large organisations invest heavily in their own internal security. But they are reliant on the software and services of many smaller organisations. Weaknesses elsewhere in the supply chain can undermine that investment entirely.

The Code of Practice addresses this directly. It provides a practical baseline that organisations of all sizes can adopt, creating a shared language for software security expectations across the supply chain. For SMEs, this is not a burden to avoid. It is an opportunity to demonstrate credibility to customers who are already asking the question - and to get ahead of procurement requirements that will increasingly make these principles mandatory.

What happens next

We have completed our initial self-assessment and identified actions in two areas: one internal security process that we are tightening within the engineering team, and an opportunity to enhance how we communicate certain aspects of security and lifecycle management to customers.

Once those actions are complete, we will carry out a final review and publish our results. Our aim is not to implement the 14 principles mechanically, but to align as closely as possible with recognised best practice - with clear, reasoned explanations where any specific principle is addressed differently due to our SaaS delivery model.

As ambassadors, we have also committed to promoting the Code across our sector and sharing what we learn from the process. This article is the first in a series of four:

1. Why we adopted the Code of Practice (this article)
2. What we found in our self-assessment against the 14 principles (coming soon)
3. A practical guide to completing the self-assessment yourself (coming soon)
4. Software Security Code of Practice vs Cyber Essentials: what’s the difference and do you need both? (coming soon)

If your organisation develops or sells software and you want to understand what the Code of Practice means in practice, those articles will walk you through it.

If you want to understand what your own organisation looks like from the outside - what an attacker would see before you even get to software security - start with a free attack surface scan.

Related Posts

Product Updates

New ASM Features and Improvements | February 2026

Nicola Chapman

26 February 2026

Technical Tutorials & Explainers

How End-to-End Encrypted Data Transfer Can Help UK Higher Education Navigate Data Regulations

David Griffiths

9 February 2026

Technical Tutorials & Explainers

Securing the Academic Perimeter: Attack Surface Management in UK Higher Education

Luke Gardner

6 February 2026

Technical Tutorials & Explainers

The Evolving Attack Surface in UK Higher Education

Luke Gardner

5 February 2026

Product Updates

New ASM Features and Improvements | January 2026

Geoff Norton

2 February 2026

Company Updates

Driving Cyber Security Forward: Hexiosec’s 2025 Highlights and What’s Next

Zoe Longo

12 December 2025

About David Griffiths

David is Hexiosec's Chief Executive Officer, and one of our co-founders. He has 25 years' experience of leading, developing and architecting complex technical systems across the Defence, Government and Commercial sectors. David is a cyber security and cloud infrastructure specialist, with a rich background in agile methodology and modern software development technologies, covering a broad range of environments from embedded systems to web applications.