Skip to main content

Integrating Risk Assessment into Your Software Development Lifecycle (SSDLC)

The Cyber Resilience Act (CRA) doesn't see cybersecurity risk assessment as a one-time checklist item. Article 13, Paragraph 2 is explicit: manufacturers must take the outcome of the risk assessment into account "during the planning, design, development, production, delivery and maintenance phases" of their software, app, or game. This means embedding risk assessment into your entire Software Development Lifecycle (SSDLC).

From Concept to Sunset

Think about how risk assessment touches each stage:

  • Planning/Concept: Early on, when you're designing your app's features or game mechanics, identify potential high-level risks. What kind of data will it handle? What are the core security assumptions?
  • Design/Architecture: As you architect your software, perform threat modeling. How will components interact? Where are the trust boundaries? This helps fulfill Annex I, Part I, point (1) on designing for an appropriate level of cybersecurity.
  • Development/Coding: Implement secure coding practices. Use SAST tools. Address vulnerabilities found in third-party libraries (Article 13, Paragraph 5).
  • Testing/QA: Include security testing alongside functional testing. Penetration testing for more critical apps or components.
  • Production/Deployment: Ensure secure configuration by default (Annex I, Part I, point (2b)). Securely distribute updates (Annex I, Part II, point (7)).
  • Maintenance/Updates: Continuously monitor for new vulnerabilities. Update your risk assessment when significant changes occur or new threats emerge. This feeds into your vulnerability handling processes (Annex I, Part II).

Agile and Iterative

If you're using agile development for your software, risk assessment activities should also be agile and iterative. Don't wait until the end of a long cycle. Incorporate security "sprints" or stories. Revisit threat models as new features are added.

This continuous approach helps ensure your software doesn't just start secure but stays secure throughout its support period, as mandated by Article 13, Paragraph 3.

Key Takeway

The CRA pushes for risk assessment to be an ongoing conversation throughout your software's life, not a monologue at the beginning. Integrate security thinking and risk analysis into every stage of your development process.