PRC, Product Risk and Compliance

PRC, Product Risk and Compliance

Traditional GRC tools were built for corporate IT, not for modern software development. As regulations like the EU Cyber Resilience Act raise the bar for product-level security, a new discipline is emerging: Product Risk and Compliance (PRC).

CRA Sessions: Risk Assessment

Risk assessments are the starting point of your application security program and as it turns out your Cyber Resilience Act compliance strategy. If you think about it, it makes absolute sense. If there is no risk, you don't really need security. Unfortunately, that's not the world we are living in and creating a crystal clear understanding of the risk profile for each of your products is essential.Risk has two components to it. It has a more "businessy" component that is related to loss magnitude or impact. This is the component that needs to be dictated by the business.The second risk component is more technical, namely threat event frequency.The combination of the two factors is what we typically think of risk. However it is critical to stress that the first "business"-side of risk is much easier to come up with. It is also relatively limited. It is also the first one in terms of a sequence. This is also precisely what CRA suggests, you need to start with clearly defining the context of your product, its risk and risk acceptance criteria.The second factor, i.e., the actual threats, is virtually unlimited. Once again you need the business side of the story to come up with meaningful threats.In this second episode of our CRA series podcast we dive deep into the risk assessment and threat modeling concepts in the context of the upcoming EU Cyber Resilience Act.

What is CRA and why do we care?

Lara and I kick off our new series on the EU Cyber Resilience Act (CRA), where we'll go deep on what the regulation actually means for product security teams and how to translate it into concrete application security practice.In this first episode, we cover the foundations:What the CRA is and why it existsWhich products fall under its scope, and which don'tHow compliance requirements differ between product categories (default, important, and critical)The role of horizontal and vertical standards, and how they fit togetherWhat's at stake if you simply ignore the regulation — the penalties, market access consequences, and liability implicationsTo help you figure out where your product stands, we've also built a CRA screening tool that walks you through the key scoping questions and gives you a first read on your obligations.In the coming episodes, we'll move from the regulatory frame into the practical side: what "secure by design," vulnerability handling, SBOMs, and conformity assessments actually look like when you're shipping real products.👉 Try the CRA screening tool: https://sammy.codific.com/cra👉 Subscribe so you don't miss the next episodes.

Is security becoming prompt-driven? The future of AppSec in the age of AI

AI is changing everything - including how attackers think. But is the security industry keeping up?This webinar, hosted jointly with Toreon, tackles one of the biggest questions in AppSec right now: as AI agents, LLMs, and prompt-driven development become the norm, what does application security even look like?📌 Follow us on LinkedIn: https://www.linkedin.com/company/9420309/🌐 Or visit our website: https://codific.com/🔔 Subscribe for more AppSec tutorials and security framework insights!

AppSec at SMEs, how are your peers doing?

In this chapter we have the research team of PXL University of Applied Sciences that did an in depth analysis of the state of AppSec processes at SMEs. They report on their outcomes and findings.