Burkhard Stubert
Latest posts
Fundamental Definitions of the Cyber Resilience Act
The definitions for making available on the market, placing on the market, intended purpose and substantial modification are crucial for understanding the CRA. The CRA, Blue Guide and Commission guidance interpret them differently. I am trying to sort out this mess.
Using Wardley Maps to Get Big Architecture Decisions Right
Big architecture decisions have big business impact. Wardley maps help us identify money pits in product development. They show us the way how to save money by commoditising hardware and software that is not part of our core business.
Qt Sql under LGPL Despite MariaDB under GPL
The Yocto recipe gives GPL as the license of MariaDB. The Qt Sql library implements its MySQL driver with MariaDB. Hence, it would be under GPL - and so would be all applications linking Qt Sql. Businesses would have to open-source their code. A disaster! So, what's wrong?
Legal Disclaimers as CRA Mitigations
A device violates essential CRA requirements. Although simple state-of-the-art security measures are available, the manufacturer mitigates the violations with legal disclaimers. This goes against the intention of the CRA: improving cybersecurity in real life and not just on paper.
CRA Classification of Embedded Devices: Examples
Per definition, embedded devices are products with digital elements and, hence, must comply with the CRA. I'll give examples whether to classify devices as default, important or critical. The classification decides how expensive CRA compliance is. So, we better get it right.
No. 69: Who Defines Minimum Security for Default Products?
Courts will do it! Cybersecurity experts throw a lot of security measures at the wall and see which ones stick. They seriously suggest that manufacturers must only do a "proper" risk assessment and all is fine. Manufacturers define what "proper" means. Isn't that circular reasoning?
How Pre-2028 Products Might Avoid the Cyber Resilience Act
If a machine sold in 2015 receives a feature update in 2028 or later, it must undergo full CRA compliance (Article 69.2). The best bet for the manufacturer might be to argue that the CRA violates legal certainty and non-retroactivity of law - constitutional rights in most EU countries.
No. 68: New Offering - CRA Survival Bootcamp
Are you ready for the Cyber Resilience Act? If not sure, check out my new offering. In the CRA Survival Bootcamp, you'll learn how to do CRA compliance on your own. My related posts may help you as well.