members
We help manufacturers of IoT devices control their own fate.
Business meets system architecture: Getting the big decisions right!
Our OfferingSystem Architecture
System architecture answers the difficult questions with big impact early in product development. Which SoM comes with a CRA-compliant Linux? Which components should manufacturers develop themselves, which outsource and which buy off the shelf? Which team structure leads to an architecture for the system that is upgradable for the next 10-15 years? How can manufacturers save costs by reducing the number of embedded systems in their machines?
38 posts
Cyber Resilience Act
The CRA forces manufacturers to protect their embedded systems properly against cybersecurity threats. Otherwise, they face heavy penalties and sales bans. We provide practical tips, how to perform a risk assessment, which security measures are enough to satisfy the essential product requirements, how to tame the thousands of vulnerabilities, and whether it's worth to make an embedded system comply with the CRA at all.
24 posts
License Compliance
A typical embedded Linux system comprises 250+ software components under 75+ different licenses like BSD, Apache, LGPL, EPL and GPL. You must satisfy the license obligations for all components and ensure that license combinations are legal and desirable. A special focus is on using Qt under LGPL and on avoiding the hefty fees for commercial Qt licenses on embedded systems.
11 posts
Applications & Services
Applications and services mediate between users and machines. They represent the core business. Embedded systems often start out as a single application, but typically end up as multiple applications and services. Our experience lead us to the adoption of a winning strategy. We organise applications and services as microservices and design them according to the ports-and-adapters architecture.
15 posts
Embedded Linux
Every SoM comes with a makeshift Linux system. Every manufacturer must add OTA updates, security measures, remote access, GUI frameworks and more. That's a lot of duplicated work. This would be much more efficient, if a SoM maker provides a Linux with all the features ready for use by manufacturers. Toradex does this with Torizon. We show how manufacturers can benefit from this groundwork with minimal effort. Torizon even runs on non-Toradex SoMs. SoM = Solutions on Module.
34 posts
Continuous Delivery
Following the principles and practices of continuous delivery helps manufacturers provide better software faster. Continuous delivery is all about feedback within seconds, minutes, hours and days. The best way to gain this feedback is to run a continuous delivery pipeline, which enables your development team to work at a constant and fast pace - without sacrificing quality. Continuous delivery is the secret formula for high-performance teams.
24 posts
Newsletter: Better Built By Burkhard
Latest posts
CRA Classification of Embedded Devices: Examples
Per definition, embedded devices are products with digital elements and, hence, must comply with the CRA. I'll give examples whether to classify devices as default, important or critical. The classification decides how expensive CRA compliance is. So, we better get it right.
members
No. 69: Who Defines Minimum Security for Default Products?
Courts will do it! Cybersecurity experts throw a lot of security measures at the wall and see which ones stick. They seriously suggest that manufacturers must only do a "proper" risk assessment and all is fine. Manufacturers define what "proper" means. Isn't that circular reasoning?
How Pre-2028 Products Might Avoid the Cyber Resilience Act
If a machine sold in 2015 receives a feature update in 2028 or later, it must undergo full CRA compliance (Article 69.2). The best bet for the manufacturer might be to argue that the CRA violates legal certainty and non-retroactivity of law - constitutional rights in most EU countries.
No. 68: New Offering - CRA Survival Bootcamp
Are you ready for the Cyber Resilience Act? If not sure, check out my new offering. In the CRA Survival Bootcamp, you'll learn how to do CRA compliance on your own. My related posts may help you as well.
Surviving the EU Cyber Resilience Act
What does the CRA require from you to avoid sales bans after 11 December 2027 and penalties threatening the existence of your company? Risk assessment, vulnerability handling and technical documentation. And tough decisions which products to retire.
Overview: Risk Assessment of the Essential Product Requirements
Overview of my posts and talks about risk assessment of the essential product requirements of the EU Cyber Resilience Act (CRA).
members
No. 67: Risk Assessment of Essential Product Requirements: Documenting Risks
The CRA requires manufactures to document the risk assessment. Architecture decision records (ADRs) are the ideal means for that. They also facilitate good discussions about different mitigation options.
members
Risk Assessment of Essential Product Requirements: Mitigating and Reviewing Risks
Episode 66: Better Built By Burkhard
members
Risk Assessment of Essential Product Requirements: Evaluating and Prioritising Risks
Episode 65: Better Built By Burkhard
members
Risk Assessment of Essential Product Requirements: Identifying Risks
Episode 64: Better Built By Burkhard
members
Risk Assessment of Essential Product Requirements: Prerequisites
Episode 63: Better Built By Burkhard