Olle Johansson, Experienced consultant in network security and real time communication – PKI, webrtc, SIP , XMPP. Kamailio and Asterisk expert.
Sandro Gauci, CEO / Senior Penetration Tester / Chief mischief officer at Enable Security
The proposed EU cyber resilience act (CRA) is a new legislation that will soon come into force. The act gives vendors a huge responsibility for the security features in sold products and gives customers a transparency into the products as well as five years of free security upgrades for all products. Manufacturers (and distributors of non-EU products) will have to implement vulnerability handling processes, be transparent of components in their products and implement security by default in all products.
What is the current state of IP communications? How will CRA affect everything from phones, to apps , servers and Open Source projects? Will the CRA lead to more secure communication or just be a blocker for innovation and progress?
Learn what the CRA means for you and your company, for manufacturers and for the market in general.
For the real-time communications industry this is the definitive review of the EU cyber resilience act (CRA), with lots of practical explanations on their Secure by Design recommendations.
Olle provides a good definition of what is meant by cyber security, see picture below, especially given Cyber is an oft-used marketing term. This picture relates cyber security (protection from attacks by bad actors online), with IT Security, Information Security and general Security.
The Apache LOG4J vulnerability has triggered many governments to put in place new laws to protect their citizens as the balance of power is too far over with the vendors. The CRA has a 24 month implementation timeline, and will impact mobile apps and embedded systems. SaaS services like UCaaS may not be impacted, unless there is device management function.
The big stick to follow CRA is a 15 million Euro fine, or 2.5% of worldwide revenues. Given most software is 80-95% open source, the OSS community are working on processes and automation tools. If you’re selling apps or customer devices or even a SaaS that controls a device you need to start planning now on how to achieve compliance with the EU CRA.
Sandro provides a great practical review of the CRA’s secure by design recommendations for the real time communications industry. It shows the importance of following his RTCSec newsletters. A term both Olle and Sandro use is Security needs shift left. That is be included in the initial phase of product development, not part of QA.