Skip to main content

36 docs tagged with "cra"

View all tags

CRA 5-Minute Primer

The EU Cyber-Resilience Act (CRA) is a landmark law that makes cybersecurity a mandatory, legal requirement for all "products with digital elements" sold in the European Union. For the first time, secure-by-design principles are moving from best practice to a legal obligation, enforced through CE marking.

CRA Readiness Gap Analysis

A practical CRA readiness checklist for connected-product teams assessing scope, secure-by-design controls, vulnerability handling, technical documentation, evidence gaps, and next actions.

Cryptography under the CRA

Practical guidance for connected-product teams assessing cryptographic algorithms, protocols, keys, firmware integrity, data protection, crypto agility, and CRA evidence.

First-Sprint Checklist

Use this checklist when a connected-product team needs to start secure-by-design work quickly and turn it into sprint-sized actions.

Glossary of Terms

This glossary defines key terms, acronyms, and concepts used throughout the Secure-by-Design Handbook.

Patch Cadence & Rollback Strategy

Patch cadence is the operating commitment for how quickly a manufacturer assesses, remediates, releases, communicates, and evidences fixes for vulnerabilities. Rollback strategy defines when reverting an update is safe, when it is dangerous, and how the product recovers without reintroducing known risk.

Real-World Vulnerability Lessons

A practical hub for secure-by-design case studies, routing real product vulnerabilities by failure pattern, control area, evidence lesson, and product-team check.

SBOM & VEX Workflows

A Software Bill of Materials (SBOM) records the software components in a product or release. A Vulnerability Exploitability eXchange (VEX) record explains whether a known vulnerability in one of those components affects the product.

Secure Boot Implementation

Secure boot is the product control that prevents unauthorised firmware or software from running during startup. For connected products, it is one of the main ways to protect firmware integrity, support trustworthy updates, and retain evidence that the released product boots only code approved by the manufacturer.

Secure OTA Updates

Secure over-the-air (OTA) updates let a manufacturer deliver security fixes to deployed products without weakening firmware integrity, bricking devices, or losing evidence of what changed. For connected products, the update mechanism is part of the security architecture, not just a delivery channel.

Secure-by-Design Evidence Pack

A secure-by-design evidence pack is a structured collection of documents, records, and technical artefacts that helps show how a connected product was designed, built, assessed, released, supported, and maintained.

Secure-by-Design Maturity Model

A practical secure-by-design maturity model for connected-product teams assessing CRA readiness, product-security practices, evidence quality, vulnerability handling, secure updates, and lifecycle support.

Secure-by-Design Policy Starter Kit

Starter policy templates and outlines for connected-product teams covering coordinated vulnerability disclosure, vulnerability handling, security updates, secure development, and CRA evidence records.

Threat Modeling

Threat modeling is the structured process for understanding how a connected product could be attacked, what risks matter most, which mitigations are needed, and what evidence supports those decisions.

Types of Embedded Device

A practical guide to classifying embedded device architectures and understanding how MCUs, embedded Linux systems, and hybrid designs affect secure-by-design controls, CRA readiness, and evidence.

Vulnerability Disclosure (CVD)

Coordinated Vulnerability Disclosure (CVD) is the process that lets researchers, customers, users, and partners report potential vulnerabilities to a manufacturer so the issue can be triaged, remediated, communicated, and evidenced.

What is Secure-by-Design?

Secure-by-design means making security part of product architecture, defaults, development, update, vulnerability handling, and lifecycle evidence. It is not a final test before release, a feature added by the security team, or a burden passed to the customer.