Achieving EU cyber compliance through a comprehensive application security strategy

the editorial team

21 June 2024

A glance into how upcoming EU cyber legislative requirements prescribe enhanced approaches to the resilience of digital solutions and their properties with robust supply chain risk management efforts – steering the future of software security and compliance practices.

By Isabela Bonani, Thomas van der Ven and Peter Avamale

Modern software development heavily relies on third-party and open-source libraries and packages. While these boost efficiency, they also introduce significant risks, which underscore the critical need for robust security measures to protect software supply chains. Nevertheless, in the continuous pace of Software Development Life Cycles (SDLC), security often ends up an afterthought, evolving alongside the lifecycle of solutions.

The continuous integration and continuous deployment (CI/CD) approach, sought for efficient code development and delivery, demands that organizations prepare for a more integrated approach to security across software development. Ensuring the integrity of code and dependencies throughout the CI/CD pipeline is essential to safeguard against vulnerabilities that could compromise the entire software supply chain.

To address the risks associated with outsourced software components, the EU has introduced the Cyber Resilience Act (CRA), which aims at bolstering the resilience of products with digital elements, such as IoT products, software, and data processing solutions connected to external networks or devices. The CRA will impose obligations for manufacturers to ensure security throughout the entire lifecycle of their products, including the management of third-party software risks through vulnerability handling and compliance assurance of third-party (and open source) software components, as well as strategic supply chain risk assessment for products used in critical sectors.

To demonstrate compliance with the Regulation, manufacturers targeted by the CRA are required to prepare technical documentation. A key component of this documentation are Software Bill of Materials (SBOMs), a means of documenting all components and dependencies in software to enhance supply chain transparency and manage vulnerabilities. The capabilities of SBOMs are harnessed through the use of Software Composition Analysis (SCA) tools. These tools perform scans on codebases to identify dependencies and open-source components. They also verify their licenses, thereby providing a comprehensive inventory of all software components and dependencies.

SCA tools provide critical mechanisms for managing software dependencies, including the detection of all open-source elements within a codebase, verification of adherence to open-source licenses, identification of known security vulnerabilities, monitoring of third-party components for updates and patches, and real-time notifications of potential risks. By integrating these tools into CI/CD pipelines, organizations can automatically generate SBOMs and continuously monitor third-party components, ensuring that security considerations are embedded from the outset and maintained throughout the development lifecycle.

Ensuring and documenting the resilience of digital solutions properties with SCA tools and SBOMs capabilities is only one of the many elements that promise to shape the standard for software security and compliance in the years to come. Organizations in the scope of forthcoming CRA and other Cyber legislations should be looking into anticipating and preparing their supply chain security and risk management efforts, not only to ensure a strategic approach to compliance but also to fortify their defenses against the ever-present threats in the digital landscape.

To comply with the CRA sustainably, organizations need a holistic SDLC program that incorporates the right tools and fosters organizational commitment to managing risks. This comprehensive approach involves providing teams with the necessary tools and resources, ensuring the seamless integration of security measures into development workflows, and defining roles and responsibilities across product owners, security officers, risk managers, and legal teams. By fostering strategic collaboration among these stakeholders, organizations can address security concerns more effectively and ensure that all aspects of the software development process are secure.