Sign up to save your podcasts
Or
Share CRA Week: Step 2 Security by Design
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
CRA Week: Step 2 Security by Design
CRA Week: Step 2 Security by Design
Day 2 of CRA Week covers the 2nd major step in CRA Compliance, Security by Design. NXP security expert Marc Vauclair explains that CRA security is about managing risk, and that Security by Design reduces risk compared to adding security later.
The episode outlines the following CRA expectations:
- Shipping products in a secure state
- Enabling security features by default
- Using encryption and data minimization
- Minimizing components and unused interfaces to reduce attack surface
- Ensuring only trusted software runs at startup
Marc encourages threat modeling, security into product requirements alongside traditional constraints, and accurate risk assessments.
Apply what is discussed with a wireless keyboard example. It illustrates threats such as snooping, data injection, and denial-of-service via wireless flooding, and explains decomposing threats into risk factors, asset-centric impact analysis, and using threat intelligence and vulnerability severity to derive project-specific risk levels. At the end threats are mapped to mitigations like authentication to prevent spoofing and cryptographic integrity checks to prevent tampering.
Marc also highlights NXP technologies that support Security by Design:
- Encrypted firmware and key installation
- Secure debug/configuration
- Remote key provisioning
- Memory encryption
- Isolation between secure and non-secure areas
- Secure connectivity features (origin attestation, secure communication, accelerated networking, remote key management)
- Incident detection/response/recovery with measured boot, runtime attestation, cyber resilience recovery, tamper detection, and battery-backed monitoring
Don't miss this detailed episode to better understand Security by Design for CRA!
Episode Resources:
- NXP CRA page: EU Cyber Resilience Act (CRA)
- NXP page: Security Certification
00:00 Welcome to CRA Week Day 2
00:48 Meet Marc Vauclair
01:49 What Security by Design Means
02:54 CRA Secure by Default Requirements
04:13 Lifecycle Threat Modeling
06:02 Making It Practical in Development
07:30 Right Sizing Security Effort
09:23 Threat Modeling Keyboard Example
12:13 Risk Assessment Basics and Factors
14:25 NXP Technologies for Security
16:14 Recap and Step 3 Teaser
View all episodes
By Bridgette & KyleCRA Week: Step 2 Security by Design
Day 2 of CRA Week covers the 2nd major step in CRA Compliance, Security by Design. NXP security expert Marc Vauclair explains that CRA security is about managing risk, and that Security by Design reduces risk compared to adding security later.
The episode outlines the following CRA expectations:
- Shipping products in a secure state
- Enabling security features by default
- Using encryption and data minimization
- Minimizing components and unused interfaces to reduce attack surface
- Ensuring only trusted software runs at startup
Marc encourages threat modeling, security into product requirements alongside traditional constraints, and accurate risk assessments.
Apply what is discussed with a wireless keyboard example. It illustrates threats such as snooping, data injection, and denial-of-service via wireless flooding, and explains decomposing threats into risk factors, asset-centric impact analysis, and using threat intelligence and vulnerability severity to derive project-specific risk levels. At the end threats are mapped to mitigations like authentication to prevent spoofing and cryptographic integrity checks to prevent tampering.
Marc also highlights NXP technologies that support Security by Design:
- Encrypted firmware and key installation
- Secure debug/configuration
- Remote key provisioning
- Memory encryption
- Isolation between secure and non-secure areas
- Secure connectivity features (origin attestation, secure communication, accelerated networking, remote key management)
- Incident detection/response/recovery with measured boot, runtime attestation, cyber resilience recovery, tamper detection, and battery-backed monitoring
Don't miss this detailed episode to better understand Security by Design for CRA!
Episode Resources:
- NXP CRA page: EU Cyber Resilience Act (CRA)
- NXP page: Security Certification
00:00 Welcome to CRA Week Day 2
00:48 Meet Marc Vauclair
01:49 What Security by Design Means
02:54 CRA Secure by Default Requirements
04:13 Lifecycle Threat Modeling
06:02 Making It Practical in Development
07:30 Right Sizing Security Effort
09:23 Threat Modeling Keyboard Example
12:13 Risk Assessment Basics and Factors
14:25 NXP Technologies for Security
16:14 Recap and Step 3 Teaser