Navigating the Cyber Resilience Act with Agility

Manufacturers must identify and document vulnerabilities in their products by creating a software bill of materials. They must address these vulnerabilities promptly with security updates, ideally separate from functionality updates. Regular security tests and reviews are required to maintain the product’s resilience against threats.

Manufacturers should ensure secure and timely distribution of security updates, including automatic updates when feasible. After releasing a security update, they must share information on the vulnerability, its impact, and how users can resolve it. Public disclosure may be delayed if needed for security reasons. Security updates must be free and include advisory messages to guide users.

Manufacturers must enforce a coordinated vulnerability disclosure policy to ensure that all stakeholders, including users, are informed about security issues in a structured and consistent manner. They should also take steps to facilitate the reporting of vulnerabilities by providing users with a clear point of contact to report any discovered issues. This includes vulnerabilities found in third-party components contained within the product.

Products must be sold without known exploitable vulnerabilities. Security updates should be provided, including automatic updates enabled by default, with an easy opt-out and the option to delay installation. Products must also have secure default settings unless otherwise agreed for custom solutions, and should include an option to reset to original settings. Additionally, products should be designed to minimize attack surfaces, particularly through external interfaces, reducing the risk of exploitation.

Products must protect the confidentiality of stored and transmitted data, using encryption and other modern security methods to safeguard information. Only necessary data should be processed, adhering to data minimization principles. Users must have the ability to securely and permanently delete all data and settings, and data transfers to other systems should be done securely. Additionally, the integrity of data, commands, and configurations must be protected against unauthorized modification, with mechanisms to detect and report any corruptions.

Products must ensure protection from unauthorized access through appropriate control mechanisms, such as authentication and identity or access management systems, and report any unauthorized access attempts. They should also record and monitor internal activity, including access to or modification of data, services, or functions, with an opt-out option for users who prefer not to be monitored.

Products must protect the availability of essential and basic functions, even after an incident, by implementing resilience measures and defenses against denial-of-service attacks. They should also minimize any negative impact on the availability of services provided by other connected devices or networks. Additionally, products must be designed and developed with mechanisms that reduce the impact of an incident, using appropriate mitigation techniques to limit exploitation and damage.

In an agile environment, a single team is fully responsible for the development and lifecycle of the product. This responsibility empowers the team to make decisions, take control of the process, and deliver a high-quality, end-to-end solution. The sense of ownership extends beyond just development; the team is accountable for maintenance, updates, and long-term success. This ownership fosters better collaboration, not only within the team but also with external stakeholders, as the team is invested in meeting both business goals and customer expectations.

Agile teams are inherently cross-functional and interdisciplinary, with members who understand each other’s strengths and work closely across different disciplines to create high-quality products. This collaborative environment enables developers to gain a deeper understanding of both the business and customer needs through continuous interaction, allowing teams to focus on solving the real problem. By regularly discussing and addressing issues collectively, agile teams enhance their problem-solving skills and build stronger, more effective solutions.

Agile teams automate repetitive tasks such as testing, code analysis, and security checks to increase efficiency and reduce the possibility of human error. This automation is built into the development pipeline, enabling teams to focus on higher-level problem-solving.

Agile teams implement Continuous Integration (CI), where developers frequently merge code changes into a shared repository. Each change is automatically tested to ensure it integrates smoothly with the existing codebase.

In agile environments, Continuous Delivery (CD) automates the release of software updates, ensuring that new versions are deployed frequently and with minimal effort. This enables teams to release software as soon as it passes the necessary tests.

Automated testing is a cornerstone of agile development, with unit tests, integration tests, and regression tests forming part of daily workflows. This ensures new features and changes don’t break existing functionality and are delivered quickly and reliably.

By adopting practices like code reviews, pair programming, and writing clean, maintainable code, teams can ensure high-quality software. This minimizes defects and makes it easier to introduce changes and security improvements over time.

In agile environments, documentation is updated continuously as part of the development process. Agile teams ensure that technical, process, and user documentation reflects the current state of the software, making it easier to maintain and distribute.