Skip to main content

Common Pitfalls in Software Risk Assessments (and How to Sidestep Them)

Conducting a cybersecurity risk assessment for your app, game, or software under the Cyber Resilience Act (CRA) is crucial. But it's easy to stumble. Here are some common pitfalls and how to keep your assessment on track and genuinely useful.

Pitfall 1: Treating it as a Checkbox Exercise

Rushing through to "get it done" misses the point. The CRA wants security integrated into your product's DNA (Article 13, Paragraph 2).

  • Avoidance: Allocate proper time. Understand it's about improving your software's security, not just paperwork.

Pitfall 2: Underestimating "Reasonably Foreseeable Use"

Focusing only on your "intended purpose" is too narrow. Users will do unexpected things with your game or app.

  • Avoidance: Brainstorm how users might misuse or abuse features. Think about scenarios beyond the happy path. What if someone tries to upload a gigabyte-sized profile picture to your app?

Pitfall 3: Ignoring or Downplaying Dependencies

Your software probably uses third-party libraries, game engines, or cloud services. Their vulnerabilities are your vulnerabilities (Article 13, Paragraph 5).

  • Avoidance: Create a Software Bill of Materials (SBOM) as required by Annex I, Part II, point (1). Actively track and assess vulnerabilities in these components.

Pitfall 4: Lack of Documentation or Poor Justification

If an essential requirement isn't applicable, you must clearly justify why in your technical documentation (Article 13, Paragraph 4). Vague or missing documentation is a red flag.

  • Avoidance: Be thorough. If you deem a risk acceptable, explain your reasoning clearly. If a requirement from Annex I doesn't fit, detail why and how you're still managing any associated risk (Recital 55).

Pitfall 5: Risk Assessment in a Silo

If the security team does the risk assessment but developers never see it or understand it, its value plummets.

  • Avoidance: Make it a collaborative effort. Ensure findings are communicated to the development team so they can actually address the risks in the software.

Pitfall 6: Not Updating the Assessment

The digital world changes fast. A risk assessment for your app from two years ago is likely outdated (Article 13, Paragraph 3).

  • Avoidance: Revisit and update your assessment when you add major new features, after significant security incidents, or when substantial modifications are made.

Key Takeway

A valuable software risk assessment is thorough, considers real-world use (and misuse), accounts for all dependencies, is well-documented, collaborative, and regularly updated. Avoid these pitfalls to make your CRA compliance journey smoother.