No. 73: Stop Managing Risk in Cybersecurity
Stop managing risk! It doesn't work! Official bodies shall tell manufacturers which security measures are needed to meet the minimum bar. Telling them to figure it out themselves is a waste of time. Safety doesn't use risk assessment but more effective people. What can security learn?
Read next
No, Light-Touch or Full CRA Compliance for FOSS Components
Do suppliers of FOSS components like Qt LGPL, Weston/Wayland, Linux BSPs, containers and OTA update solutions have to perform no, light-touch or full CRA compliance? The answer affects how much due diligence machine and device manufacturers must exercise for these components in their CRA compliance.
Fundamental Definitions of the Cyber Resilience Act
The definitions for making available on the market, placing on the market, intended purpose and substantial modification are crucial for understanding the CRA. The CRA, Blue Guide and Commission guidance interpret them differently. I am trying to sort out this mess.