Skip to main content

Reports of Software Security Tests Carried Out

Claims about your software's security are one thing; proof is another. The Cyber Resilience Act (CRA) requires you to back up your conformity claims with evidence. A key part of this evidence is the results from security tests you've performed.

The Requirement for Test Reports

Annex VII, point 6, explicitly states that the Technical Documentation must include "reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I".

This requirement is also supported by Annex I, Part II, point (3), which mandates that manufacturers "apply effective and regular tests and reviews of the security of the product".

What This Means for Your Software

For your app, game, or software component, this means you need to document the outcomes of your security testing activities. The types of reports to include could be:

  • Vulnerability Scan Results: Reports from automated tools that scan your code or dependencies for known vulnerabilities (e.g., SAST, DAST, SCA scan results).
  • Penetration Test Reports: If you commissioned a third party (or used an internal team) to perform a penetration test on your app or its backend, the summary report is crucial evidence.
  • Code Review Summaries: Documented outcomes of security-focused manual code reviews.
  • QA Security Testing Results: Reports from your quality assurance team that include security-specific test cases.
  • Process Audits: If you conducted an audit of your vulnerability handling process, the report would demonstrate compliance with Annex I, Part II.

You don't necessarily need to include every single raw log file, but summary reports that show the scope of testing, the findings, and how you addressed them are essential.

Key Takeway

Your Technical Documentation must include reports from the security tests you've conducted on your software. This provides tangible proof that you have actively verified your product's compliance with the CRA's essential security requirements.