Secure Software Development Lifecycle (SSDL)
CRA requires product teams to follow Secure Software Development Lifecycle practices from design to delivery to maintenance. This is not a specific, single requirement but rather a theme throughout the CRA regulation.
Essentially, you need to provide evidence-based rationale of your cybersecurity measures throughout your product's lifecycle. You also need to specify any factors that extend or shorten the product’s expected lifetime from the CRA default of 5 years.
Qt Group Highlights
Robust Protocols & Practices
From almost 30 years of open framework building, Qt already has e.g. secure design and planning principles, code integrity protection, 3rd party security audits, transparent and traceable security issue handling, and a wealth of documentation.
Now, we're adding CRA on top of it.
Marking Security-Critical Modules
Qt Framework has a process for marking security-critical modules. The idea is to identify the files containing code where bugs are more likely to cause security issues. For example, code that is parsing input from untrusted sources, or a protocol implementation.
Next Steps at Qt Group
Expand the process for marking security critical modules from Qt Framework to all Qt Group's products
Mandate Multi-Factor Authentication (MFA) for all Qt Project contributors
Evaluate adopting OWASP SAMM or some other industry de-facto SSDL framework
Establish a process to review the CRA compliance of 3rd party components
Improve the security flagging mechanism for code reviews and requirements handling
Create onboarding material for product lifecycle management to ensure a unified understanding of terminology, drivers and challenges
Document how the maintenance period is determined for each Qt Group's product and ensure it covers the products' expected lifetime
More on SSDL
The information contained on this page and this website does not constitute legal advice. It is provided for informational purposes and discussion of the subject matter only. Content is subject to change and The Qt Group does not guarantee the accuracy or currentness of the contents of this page nor is The Qt Group responsible for the content or operation of any external website that these pages link to—or that may link to—these pages. The information contained here is not, and should not be used as, a substitute for legal advice.