落入陷阱：《网络弹性法案》对开源软件意味着什么.pdf

1、Christian WalterCaught in the NetWhat the Cyber Resilience Act Means for Open-Source SoftwareCaught in the NetWhat the Cyber Resilience Act Means for Open-Source SoftwareChristian Walter9elements,Managing Director FirmwareOpen-Source Firmware Foundation,FounderSecurity Track CRA=First EU-wide cybers

2、ecurity regulation for digital products Applies to both hardware and software Open-Source Software is explicitly pulled into scopeWhy This MattersThe European CRA sets mandatory Cybersecurity Requirements for Hardware and Software throughout the entire lifecycleKey GoalsImprove Security across the w

3、hole LifecycleSecure DevelopmentMore TransparencyEnforce Vulnerability HandlingApplies to all Products with Digital Elements(PDEs)sold in the EUWhat is the Cyber Resilience ActTimelineCRA ClassesOCP S.A.F.E.Default CategoryImportant Product“Class 1”Important Product“Class 2”Critical ProductCategoryI

4、ndustrial PLCSmartphoneEV ChargersRouters,modems intended for connection to the Internet(incl.switches)Smart home virtual assistantsInternet connected toysSmart lockWearablesPhysical and virtual network interfacesOperating SystemsHypervisors and container runtime systemsFirewalls,intrusion detection

5、 and/or prevention systemsTamper-resistant MCUs/MPUsSmart meter gatewaysSmartcards and similar devices(including Secure Elements)Hardware devices with security boxesExamplesSelf-assessmentHarmonised standards(ensuring CRA principles are met)3rd Party product assessment(product and/or process)Common

6、Criteria certification(by default)ConformanceManufacturesAnyone selling or integrating PDEsImporters/DistributorsIf you place on the EU marketWhat about Open-Source Software?Who needs to comply?Open-Source not exempt by defaultNon-commercial projects are not in scopeBut:Once used commercially in sco