Solving the CRA Puzzle: A Layered Approach to Compliance
CRA compliance isn’t one-size-fits-all—especially for manufacturers of software-defined products. In this clip, Dario Lobozzo, GM of EMEA at Finite State, explains why a layered approach to security analysis is critical.
•2:19•HD•0 views
Solving the CRA Puzzle: A Layered Approach to Compliance
Transcript
There's multiple ways to look at any puzzle, and I believe that accomplishing CRA compliance is essentially a puzzle, especially for software defined product manufacturers.
Because of that, and because of the fact that multiple different manufacturers are going to have different sets of problems across their organization, it's important to have the capability to look at a puzzle from the perspective of, I would like to do a binary scan because all I have is the final product of these twenty year old products that are out in the wild that I now need to go and retroactively build a vulnerability program for. I don't have the source code anymore. Those developers left. I can't ask them information. It's twenty years ago. So we need to do binary analysis on these.
Then we've got this other set of products that are, you know, kind of in the, like, still in the left side of the v, but not necessarily at start of production yet. So we have the code for those. We're in the middle of developing those and they haven't reached the wild yet. So we can do a source code analysis there.
And then we have ones that we have no control over whatsoever. We buy them prebuilt. Those are third party components and all we can do there is ask for an SBOM and they won't give us the binary. So for whatever reason the contract states, we have to rely on their SBOM.
So I might have one product that I sell to the European market that needs to be CRA compliant. I manufacture some of the code.
There's a bunch of it already in the market. So that those products, I need to do a binary analysis, and then I'm going to have third party components within those. So without capability set within your tools as finance data offers to do all three, you're going to miss something. It's just inevitable. You will just you will just miss something. So I think it is really important to have a cohesive comprehensive approach when you're looking at something like, what is my layered approach to cybersecurity when it comes to my products?