Software Design, Development, and Production Process Overview
The Cyber Resilience Act (CRA) isn't just about your final software product; it's also about how you build it. Annex VII, point 2, requires your Technical Documentation to describe the design, development, and "production" processes. For software, "production" generally refers to your build, packaging, and release pipeline.
Documenting Your Design and Development
You need to provide necessary information on the design and development of your software. This should include:
- System Architecture: A description explaining how your software components build on or feed into each other and integrate into the overall processing. This could be a high-level diagram showing the relationship between your app's front-end, backend APIs, and databases.
- Design Choices: Information on key security-related design decisions. For example, why you chose a particular authentication method or data storage approach.
Documenting Your "Production" (Build and Release) Process
You must also document the processes and systematic actions you use in your software build and release pipeline. This demonstrates control and repeatability. It could cover:
- Source Code Management: How you control access to and changes in your codebase.
- Build Process: How source code is compiled, linked, and packaged into a distributable app or game.
- Security in the Pipeline: Any automated security checks you run, such as static analysis (SAST) or dependency scanning (SCA), during the build.
- Release Validation: The processes for validating that your release is ready and secure before it goes public.
This documentation provides evidence that you have a structured and security-conscious method for creating your software.
Key Takeway
Your Technical Documentation must describe your software's architecture and your development and build processes. This shows authorities that you have considered security not just as a feature, but as an integral part of how your software is made.