Skip to main content

Vulnerability Identification: Your Codebase and Dependencies

Under the Cyber Resilience Act (CRA), your software, app, or game must be made available "without known exploitable vulnerabilities" (Annex I, Part I, point (2a)). This means you need a process to find these weaknesses, not just in your own code, but also in any third-party components you use – like game engines, libraries, or SDKs.

Scrutinizing Your Own Code

For the code you write:

  • Secure Coding Practices: Are your developers aware of common pitfalls like those in the OWASP Top 10 (e.g., injection flaws, broken authentication)?
  • Code Reviews: Is another pair of eyes looking at security-sensitive code?
  • Static Analysis (SAST): Tools can automatically scan your source code for potential vulnerabilities. Many IDEs and CI/CD pipelines offer these.
  • Dynamic Analysis (DAST): Testing the running application for vulnerabilities, often useful for web-facing components of your app or game.

The Dependency Dilemma

Modern software, especially games and apps, relies heavily on external libraries and components. Article 13, Paragraph 5 states manufacturers must exercise due diligence when integrating third-party components so they don't compromise the product's security. Annex I, Part II, point (1) also requires you to identify and document vulnerabilities and components, including drawing up a Software Bill of Materials (SBOM).

This means you need to:

  • Know Your Dependencies: Generate an SBOM to list all components.
  • Check for Known Vulnerabilities: Use tools (Software Composition Analysis - SCA) or databases (like the National Vulnerability Database or ENISA’s future European Vulnerability Database mentioned in Recital 66) to see if your dependencies have reported issues.
  • Update Regularly: Keep your libraries and game engine versions patched.

Key Takeway

Finding vulnerabilities isn't a one-shot deal. It involves continuous effort in your own code and diligent tracking of the security status of all your third-party dependencies. This is essential to ship without known exploitable issues as the CRA requires.