comment: # (…or by running the Makefile with “make”) comment: # (mdslides can be installed from https://github.com/dadoomer/markdown-slides/) comment: # (diagram was made on https://dreampuf.github.io/GraphvizOnline/ using media/CPAN-deps-1.dot as input)

comment: # (width: “960”) comment: # (height: “700”) comment: # (help: true) comment: # (progress: true) comment: # (controlsBackArrows: “true”)

Cyber Resilience Act, SBOMs and CPAN

PTS 2024

Salve J. Nilsen

@sjn\@chaos.social

Note:

• Presentation from 2023 is still mostly correct (80-90%), and many of the concerns and worries laid out there are still relevant

Oh Noes!

• There are substantial changes to the landscape
  • Our maps need updating!
• Let’s play scouts on a fact-finding mission
• Looking for facts, references, questions
• Otherwise – state our confidence (0-100%)

Note:

Inspiration from Julia Galef’s “The Scout Mindset” book (2021)

(Obligatory IANALawyer)

EU Cyber Resilience Act

• Law was approved by the EU Parliament March 12th 2024
• Final translations/fixes ongoing
• Law is adopted when EU Council gives final approval
• Three year implementation period
• CRA expexted to take effect in Q2 2027

> * Parliament resolution [T9-0130/2024](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html)

Note:

Approved 6 weeks ago Law is expected to be approved by the Council in April 2024!

CRA Applies to…

• All Manufacturers that wish to place “Products with Digital Elements” on the EU market. (Recital 9)

• Connected devices
• Remote data processing solutions
• Non-tangible digital products

> * Product with Digital Elements: [Article 3 (1), (4), (6), (7)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=136) > * Placing on the market: [Article 3 (21)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=140)

Note:

Devices, components, routers, toys, etc. Anything which has software may be affected!

CRA does not apply to…

• Software that is part of a service (Recital 12)
• Though NIS2 applies if the services is considered critical infrastructure (70%)

Five “Roles”

• Manufacturer
• Distributor
• Importer
• Open-Source Software Steward
• Open-Source Developers

Five “Roles”

• Manufacturer 🔍
• Distributor
• Importer
• Open-Source Software Steward
• Open-Source Developers

comment: # (

data-auto-animate)

Manufacturer

• A natural or legal person who
  • develops or manufactures products with digital elements
  • or has products with digital elements designed, developed or manufactured,
  • and markets them under its name or trademark,
  • whether for payment, monetisation or free of charge

> * [Article 3 (12), (13)](https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf#page=138)

comment: # (

)

Obligations of Manufacturers – Conformance

• Place a CE mark on their products (Article 28)

> * Automating this (on MetaCPAN) may be an awesome way to help the sustainability of FOSS projects! (50%)

comment: # (

)

Obligations of Manufacturers – Support period

• Determine the product support period.
  • Default is 5 years, but should reflect expected use time. (Article 13.8)
  • Support period can also set by authorities if deemed inadequate, or for certain categories.
• Security fixes must remain available for 10 years after publishing (Article 13.9)

> * Period length may be different per product (40%)

comment: # (

)

Obligations of Manufacturers – Point of Contact

• Set up a single point of contact (Annex II.2)

> May require confirmation (60%)

comment: # (

)

Obligations of Manufacturers — Unique ID

• Create a unique identification of their product (Annex II.3)

> PackageURL can solve this! (85%)

comment: # (

)

Obligations of Manufacturers – Build & Dependencies

• Be able to identify and document vulnerabilities and components contained in products (Annex I, Part II (1))
• Describe how the product is put together (Annex VII.2 (a))

> Match Unique ID to vulnerability databases (90%)

comment: # (

)

Obligations of Manufacturers – Produce SBOMs

• Produce SBOMs upon request by regulators (Recital 22)
  • At minimum, top level dependencies (Annex I, Part II (1))
• See also: The German Federal Office for Information Security’s Technical Guideline TR-03183 version 1.1 (published 2023-11-28)

> * Requires ways to refer to both embedded and cross-ecosystem dependencies (95%) > * Transitive dependencies are implied to be produced (70%)

comment: # (

)

Obligations of Manufacturers – No Vulnerabilities

• Product has no known vulnerabilities in their products (Article 13.1; Annex I, Part I (2 (a)))
• Product is secure by default (Recital 65)
• 😍 Exercise due diligence when integrating third party components to avoid they compromise security (Article 13.5)
• Report vulnerabilities to the Manufacturer or Open Source maintainer (Article 13.6)

> * Implies they have a complete picture of dependencies (95%) > * Though the minimum is "top level dependencies" ([Annex I, Part II, (1)]())

comment: # (

)

Obligations of Manufacturers – Offer timely security updates

• Make security updates available to customers effectively for the duration of the support period (Article 13.8; Annex I part II)
• Ensure vulnerabilities can be addressed through security updates (Annex I, Part I (2 (c)))
  • In a timely manner (Annex I, Part II (7))

comment: # (

)

Obligations of Manufacturers – Early warning system

• Take part in the EU early warning notification regime (Article 13.6; Article 14.1)
  • Submit early warning within 24h after exploit discovery (Article 14.2 (a))
  • Submit vulnerability notification within 72h, incl. corrective measures (Article 14.2 (b))
  • Submit a final report no later than 14 days after discovery (Article 14.2 (c))
• Incident reports must be submitted to a common EU reporting platform

comment: # (

)

Five “Roles”

• Manufacturer ✅
• Distributor
• Importer
• Open-Source Software Steward
• Open-Source Developers

Five “Roles”

• Manufacturer ✅
• Distributor ❌
• Importer
• Open-Source Software Steward
• Open-Source Developers

Five “Roles”

• Manufacturer ✅
• Distributor ❌
• Importer ❌
• Open-Source Software Steward
• Open-Source Developers

Five “Roles”

• Manufacturer ✅
• Distributor ❌
• Importer ❌
• Open-Source Software Steward 🔍
• Open-Source Developers

comment: # (

data-auto-animate)

Open Source Steward

• A legal person, but not natural person, who…
  • must be a non-profit (Recital 15)
  • provides support for OSS projects that are intended for commercial activities (Recital 18)
  • may provide voluntary security attestation (Recital 21)

comment: # (

)

Obligations of Open Source Stewards – Community Policy

• Must create cybersecurity policy and documentation for it’s community, that fosters…
  • Development of secure products (Article 24.1)
  • Effective handling and information sharing around vulnerabilities (Article 24.1)
  • Voluntary vulnerability reporting (Article 15)

comment: # (

)

Obligations of Open Source Stewards – Cooperation

• Must cooperate with market surveillance authorities in… (Article 24.2)
  • Mitigating risks
  • Provide above documentation upon request
  • Notify of exploited vulnerability discoveries (Article 14.1)
  • Informing users of the impact of active exploited vulnerabilities or severe incidents (Article 14.8)

> * Here, Stewards "add value" for Manufacturers by offloading some of the due diligence tasks. This is valuable!

comment: # (

)

Obligations of Open Source Stewards – Security Attestation

• 😍 Facilitate Manufacturer’s due diligence as laid out in Article 13.5 (Article 25)
• EU Commision is tasked to set up a security attestation programme to facilitate this (Recital 21)

> * Stewards "add value" for Manufacturers by providing a Security Attestation via. This is valuable!

comment: # (

)

Five “Roles”

• Manufacturer ✅
• Distributor ❌
• Importer ❌
• Open-Source Software Steward ✅
• Open-Source Developers

Five “Roles”

• Manufacturer ✅
• Distributor ❌
• Importer ❌
• Open-Source Software Steward ✅
• Open-Source Developers 🔍

comment: # (

data-auto-animate)

Open Source Developers

• CRA doesn’t really talk about Open Source Developers

comment: # (

)

Obligations to Open Source Developers – Status Quo

• CRA does not apply to Developers if…
  • they contribute code to projects they are not responsible for (Recital (18))
  • they are not monetising their product (Recital (18))
  • their product is not ultimately intended for commercial activities (Recital (19))

comment: # (

)

Obligations to Open Source Developers – With a FOSS Steward

• CRA applies voluntarily if the Developer decides…
  • their product is ultimately intended for commercial activities (Recital (19))

A Open Source Software Steward to assist them in improving their product’s security posture.

comment: # (

)

Five “Roles”

• Manufacturer ✅
• Distributor ❌
• Importer ❌
• Open-Source Software Steward ✅
• Open-Source Developers ✅

Now what?

comment: # (

data-auto-animate)

Now what?

• We can help our users comply with EU Law!

comment: # (

data-auto-animate)

Metadata

• Update CPAN::Meta::Spec
  • Add CRA compliance fields
  • Add project sustainability fields
  • Who would like to make this happen? ✋

comment: # (

)

SBOM

• Support Software Bill of Materials in the toolchain
  • PackageURL for helping with out-of-ecosystem dependencies and requirements
  • SBOM-aware PAUSE
  • SBOM discovery API on MetaCPAN
  • Who would like to make this work? ✋

comment: # (

)

Documentation

• Create an overview of roles, metadata, responsibilities and terminology
  • Who needs the metadata required by CRA?
  • Where does it come from?
  • LOTS done!
  • See https://security.metacpan.org/docs/

comment: # (

)

CPANSec’s supply-chain SBOM overview

Let’s take a look!

Further work in CPANSec

• Let’s coordinate on #cpan-security on irc.perl.org! 😍

Thanks!

Salve J. Nilsen

@sjn\@chaos.social

🦆🦆🦆