What is EU Cyber Resilience Act

The EU Cyber Resilience Act is a proposed regulation that aims to improve the cybersecurity and cyber resilience of products with digital elements, such as connected devices, software, and cloud services. The act will introduce harmonized rules and obligations for the entire value chain, from manufacturers to users, and will require a CE marking to indicate compliance with the cybersecurity requirements.

The act is expected to enter into force in early 2024, and manufacturers will have to apply the rules 36 months after their entry into force. This means that organizations that develop or provide software products or services in the EU market will have to adapt their processes and practices to meet the new standards and ensure the security of their products throughout their lifecycle.

The new act comes with obligations for software manufacturers. It will be mandatory to provide technical documentation to authorities that must demonstrate that the product is developed with a security by design. Failing to comply can result in a fine up to €15mln or 2.5% of yearly global turnover.

Here are some examples of content that will be expected as part of the technical documentation:

• Description of the software development process that demonstrates that activities like Threat modelling are performed at the design phase of the development process.
• Up-to-date diagrams and design documentation
• Risk analysis
• Point of contacts for security matters
• Third-party components security management (SCA)

One of the challenges that organizations will face is how to approach the Secure Software Development Life Cycle (SSDLC) in a structural way. The SSDLC defines the process used by organizations to build secure software applications from inception to decommission. Implementing the SSDLC is not a trivial task. It involves multiple stakeholders, activities, tools, and metrics, and it needs to be aligned with the business goals and risks of the organization. Moreover, the SSDLC is not a one-size-fits-all solution. Different organizations may have different needs, resources, and constraints, and they may use different methodologies, technologies, and architectures for their software development.
Therefore, organizations need a way to customize and measure their SSDLC implementation, and to continuously improve their software security posture. This is where OWASP SAMM comes in.

OWASP SAMM: A Maturity Framework for Software Security

OWASP SAMM (Software Assurance Maturity Model) is an open framework that helps organizations assess, formulate, and implement a strategy for software security, that can be integrated into their existing Software Development Lifecycle (SDLC). OWASP SAMM is fit for most contexts, whether your organization is mainly developing, outsourcing, or acquiring software, or whether you are using a waterfall, an agile or devops method, the same model can be applied.

OWASP SAMM provides a structured way to assess the current state of software security practices, identify gaps and weaknesses, and define and execute a roadmap for improvement. OWASP SAMM covers 15 security practices across five business functions: governance, design, implementation, verification, and operations. Each practice has three maturity levels, from initial to advanced, that describe the objectives, activities, and quality criteria for achieving a certain level of security assurance.

By using OWASP SAMM, organizations can:

• Evaluate their existing software security practices and benchmark them against industry standards or peers
• Build a balanced software security assurance program in well-defined iterations, based on their specific needs and resources
• Demonstrate concrete improvements to their security assurance program and communicate them to stakeholders
• Define and measure security-related activities throughout the organization and across the software lifecycle
• Think about threats beyond standard attacks and address the security issues unique to their applications.

How to Adopt OWASP SAMM

The typical approach of using OWASP SAMM in an organization is to start with preparation, going through the assessment, setting the target, planning, and implementation to roll-out. OWASP SAMM is particularly well suited to support continuous improvement, in which case the cycle is executed continuously, typically in periods of 3 to 12 months.
The first steps to adopt OWASP SAMM are:

• Preparation: Define the scope, objectives, and stakeholders of the project, and gather the necessary information and resources
• Assessment: Use the OWASP SAMM questionnaire or the SAMM assessment tool to evaluate the current maturity level of each security practice, and identify the strengths and weaknesses of the software security practices
• Setting the target: Based on the assessment results and the business goals and risks, define the target maturity level for each security practice, and prioritize the areas of improvement
• Planning: Based on the target and the priorities, define the plan of action, including the activities, resources, timelines, and metrics for each security practice

These steps can be executed by a single person or a small team in a limited amount of time (one to two days). However, to ensure the success and sustainability of the project, it is important to get the support and involvement of the relevant stakeholders, such as management, developers, testers, and security experts.

Getting started article on the official OWASP SAMM web page has a great step step guide how to adopt this framework in a software development company: Quick start guide for version 2.0 (owaspsamm.org)

Conclusion

The EU Cyber Resilience Act will bring significant changes and challenges to the software industry in the EU market. Organizations that develop or provide software products or services will have to comply with the new cybersecurity requirements and obligations, and ensure the security and resilience of their products throughout their lifecycle.
To prepare for the act, organizations should approach the SSDLC in a structural way, and use OWASP SAMM as a maturity framework to measure and improve their software security posture. By doing so, organizations can not only meet the regulatory expectations, but also gain a competitive advantage and deliver more secure and reliable software products and services to their customers.