Skip to main content

Identifying Assets and Data in Your Software Product

Before you can protect anything, you need to know what you're protecting. For your app, game, or software, this means identifying your critical assets and the data it handles. This is a fundamental step in your Cyber Resilience Act (CRA) risk assessment.

What Are Your Software Assets?

Think beyond just your source code. For a typical software product, assets can include:

  • User Data: This is a big one. Annex I, Part I, point (e) requires protecting data confidentiality, and point (g) talks about data minimization. This could be player profiles in a game, user-generated content in an app, or configuration settings.
  • Intellectual Property: Your game's unique mechanics, proprietary algorithms in your software, or specific art assets.
  • Backend Systems & APIs: If your app or game communicates with a server, that server, its databases, and the APIs are critical assets.
  • In-App Purchases & Virtual Goods: For games, the system managing these is a high-value target.
  • Source Code & Development Tools: The code itself, build systems, and developer credentials.
  • Brand & Reputation: Though intangible, a security breach can severely damage this.

Focus on Data Sensitivity

The CRA's Annex I, Part I emphasizes protecting the confidentiality, integrity, and availability of data. Consider:

  • Personal Data: Does your app collect names, emails, or device IDs? GDPR implications are huge here too.
  • Sensitive Operational Data: API keys, server credentials, or internal configurations used by your software.
  • Game State / User Progress: For games, compromising this can ruin the user experience.
  • Financial Information: If your app handles payments directly (less common for simple apps, but possible).

Why This Matters for CRA

Identifying these assets and understanding the data involved allows you to:

  1. Determine what security properties from Annex I are most relevant.
  2. Assess the potential impact if these assets are compromised (a key part of risk evaluation).
  3. Prioritize your security efforts where they matter most.

Key Takeway

Know what you're trying to secure. List out the critical assets and data your software or app interacts with. This inventory is the bedrock of a meaningful risk assessment that aligns with CRA requirements.