Skip to main content

Secure Software Development Lifecycle (SSDLC) and the CRA

The Cyber Resilience Act (CRA) doesn't explicitly use the term "Secure Software Development Lifecycle" or SSDLC. However, its requirements effectively mandate that you adopt one for your app, game, or software. An SSDLC is a process that builds security into every stage of development, from concept to sunset.

How the CRA Mandates an SSDLC

Let's map CRA requirements to SSDLC phases:

  • Requirements & Design (The "Secure by Design" Principle):

    • CRA: You must perform a cybersecurity risk assessment and take its outcome into account during planning and design (Article 13, Paragraph 2). Products must be "designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks" (Annex I, Part I, point 1).
    • SSDLC: This is threat modeling and defining security requirements upfront.

  • Development (Coding):

    • CRA: You are responsible for ensuring the product is made available "without known exploitable vulnerabilities" (Annex I, Part I, point 2a) and that you exercise "due diligence when integrating components" (Article 13, Paragraph 5).
    • SSDLC: This involves secure coding training, using static analysis tools (SAST), and managing dependency vulnerabilities (via SBOM and SCA).

  • Testing:

    • CRA: You must "apply effective and regular tests and reviews of the security of the product" (Annex I, Part II, point 3) and include test reports in your technical documentation (Annex VII, point 6).
    • SSDLC: This is security testing, including dynamic analysis (DAST) and penetration testing.

  • Release & Response:

    • CRA: You must have processes for vulnerability handling, a CVD policy, and secure update distribution (Annex I, Part II).
    • SSDLC: This is the incident response and post-release vulnerability management phase.

The CRA's holistic approach, covering the entire lifecycle, makes an SSDLC the most logical and effective way to achieve and demonstrate compliance.

Key Takeway

While the CRA doesn't name it, its requirements for secure design, development, testing, and ongoing vulnerability management mean that implementing a Secure Software Development Lifecycle (SSDLC) is the practical path to compliance for any software developer.