Acronym: CRACY
Title: CRA CompliancY (made easy)
| Call | DIGITAL-ECCC-2024-DEPLOY-CYBER-06 |
| EU nr | 101190492 |
| Period | 30 months - 01.12.2024 to 31.05.2027 |
| Project budget | € 4,487,808,.98 |
| VUB budget | € 113,152.50 |
| Contact | Prof. Coen De Roover and Prof. Wolfgang De Meuter |
Can you provide a brief overview of the CRACY project and its primary objectives?
CRACY was launched to help companies, mainly small and medium-sized engineering companies, comply with the new Cyber Resilience Act (CRA), which has recently been approved by the European Parliament and which will fully enter into force by December 2027. [1] It seeks to improve the reliability and (cyber)security of both software applications and physical products that employ software systems, such as electronic appliances. The CRA requires manufacturers to perform risk assessments regarding the security of their devices and the extent to which these devices are vulnerable to hackers. Furthermore, manufacturers will be required to provide mechanisms for providing continuous security updates over the course of the device’s lifecycle.
Implementing such protocols is very labour-intensive. Smaller enterprises especially may not have the in-house expertise available to comply with the new regulation, which in turn will make it more difficult for them to compete against larger companies. Furthermore, as the CRA targets a broad spectrum of products, it must necessarily adopt a technology-agnostic, high-level view of how software systems are created and maintained. This makes it more difficult for companies to translate the CRA’s legal framework into actionable insights that they can implement themselves.
CRACY will therefore develop free and open-source tools, mechanisms, checklists, and guidelines to help companies comply with the CRA by performing the necessary technical assessments of their products themselves. It will furthermore create content for webinars, workshops, training sessions, etc. to help shed light on the obligations imposed by the CRA.
[1] https://www.europarl.europa.eu/news/en/press-room/20240308IPR18991/cybe…
What role does VUB play in the CRACY project, and what are some of its key contributions?
Modern software systems are comprised of many different interacting software components, software libraries, and software services, collectively termed dependencies. Often, even the developers of a system are not aware of exactly which dependencies have been included in a software system, as these dependencies are often reused between different systems. Some of these dependencies are made open-source, so that they are available to a large group of developers. A downside, however, is that any security vulnerability in a popular dependency may also introduce a vulnerability in a system in which they are included. The CRA therefore requires the manufacturer of a product to perform a thorough risk assessment of the product’s software, including its dependencies.
The role of the VUB in this project is to develop an open-source tool to automatically scan the various software dependencies that are used in a software system. This tool produces a so-called “Software Bill of Materials”, which includes, for each dependency, information on e.g., known vulnerabilities, the mechanism for reporting vulnerabilities to the dependency’s developers, and the software license in use. Such tools already exist, but they require considerable intervention from developers with expert knowledge. The goal of the VUB is, therefore, to investigate how we can fully automate this analysis, so it also becomes available to non-experts, and how we can make the scan more comprehensive, so that it also considers dependencies which are currently ignored by state-of-the-art scanners.
This tool will help lower the barrier for developers to create secure and reliable products. This tool will reduce the likelihood that a product is released with known security vulnerabilities. Furthermore, it will also enable developers to be automatically notified whenever a security vulnerability is reported for one of the dependencies that are used in their system. This will make it easier to quickly fix vulnerabilities if any are discovered after the product’s release.
What will be the broader impact of the CRACY project?
Because of the complexity of modern software, making an application fully secure and resistant to every conceivable attack is a herculean task. This problem grows even larger for applications which are actively updated and which frequently receive new features, as each update may introduce a new vulnerability. Large organisations often employ dedicated teams to test the security of their products and to fix issues as soon as they are reported. These teams consist of security experts who use sophisticated tools to discover and fix vulnerabilities.
CRACY will democratize knowledge on software security by developing new tools, mechanisms, and guidelines for improving the security and reliability of products, and by partially automating some of the required technical assessments. As CRACY is funded by the EU’s Digital Europe Programme, all of these tools will be made available as free and open-source software, so they can be adopted by developers worldwide. This will make it much easier to ship new products without known security exploits. Even if new exploits are discovered after a product has already been released, the tools developed by CRACY will help developers to patch these exploits more quickly.
CRACY will also organise educational activities, including webinars, workshops, and training sessions, to help organisations make their products CRA-compliant by December 2027. As with the tools developed by CRACY, the content of these activities will also be made publicly available.
More information on the CRA and CRACY can be found at https://cra-cy.eu/.
This project has received funding from the European Union’s Digital Europe Programme under grant agreement No 101190492.
