CRA Week: Step 2 Security by Design
Day 2 of CRA Week covers the 2nd major step in CRA Compliance, Security by Design. NXP security expert Marc Vauclair explains that CRA security is about managing risk, and that Security by Design reduces risk compared to adding security later.
The episode outlines the following CRA expectations:
Marc encourages threat modeling, security into product requirements alongside traditional constraints, and accurate risk assessments.
Apply what is discussed with a wireless keyboard example. It illustrates threats such as snooping, data injection, and denial-of-service via wireless flooding, and explains decomposing threats into risk factors, asset-centric impact analysis, and using threat intelligence and vulnerability severity to derive project-specific risk levels. At the end threats are mapped to mitigations like authentication to prevent spoofing and cryptographic integrity checks to prevent tampering.
Marc also highlights NXP technologies that support Security by Design:
Don't miss this detailed episode to better understand Security by Design for CRA!
Episode Resources:
00:00 Welcome to CRA Week Day 2
00:48 Meet Marc Vauclair
01:49 What Security by Design Means
02:54 CRA Secure by Default Requirements
04:13 Lifecycle Threat Modeling
06:02 Making It Practical in Development
07:30 Right Sizing Security Effort
09:23 Threat Modeling Keyboard Example
12:13 Risk Assessment Basics and Factors
14:25 NXP Technologies for Security
16:14 Recap and Step 3 Teaser
