Application security is vital for designing, developing, and producing products that conform with the EU Cyber Resilience Act (EU CRA), as it protects against vulnerabilities that could compromise data and affect functionality. Lucent Sky AVM enhances this process by automating vulnerability identification and remediation, making it more efficient for organizations to achieve and maintain compliance.
Lucent Sky AVM EU CRA mapping
The following section has a mapping of the Essential Requirements, as presented in Annex I of the EU CRA, that Lucent Sky AVM covers, as well as remaining steps a customer need to take in addition to implementing Lucent Sky AVM.
EU Cyber Resilience Act Essential Requirements
| EU CRA requirement | Lucent Sky AVM | Customer gaps |
|---|---|---|
| Part I (1) — Designed, developed, and produced securely. | (C) Lucent Sky AVM can be used to identify and remediate insecure designs and implementations throughout the software development lifecycle, ensuring products are designed and developed with specified security requirements. | Customers must assess and identify the appropriate security requirements of their products, and should conduct assessments in addition to those by Lucent Sky AVM if necessary. |
| Part I (2)(a) — Without known exploitable vulnerabilities | (S) Lucent Sky AVM analyzes the source code, binary files, and dependencies of the products to identify and remediate both known and unknown vulnerabilities. | Customers must ensure applicable parts of the products are properly analyzed by Lucent Sky AVM. |
| Part I (2)(b) — Secure by default configuration | (C) Lucent Sky AVM analyzes the source code, binary files, and configuration files used by the products and their dependencies for insecure practices, such as the use of hard-coded credentials or generating randomized passwords insecurely. | Customers must ensure applicable parts of the products are properly analyzed by Lucent Sky AVM, and should use Lucent Sky AVM in addition to automated and/or manual reviews. |
| Part I (2)(d) — Access control | (C) Lucent Sky AVM analyzes the source code of the products to identify potential locations in the code where access control is missing or performed insecurely, such as improper certificate validation and insecure session management. | Customers should use Lucent Sky AVM in addition to automated and/or manual reviews. |
| Part I (2)(e) — Data confidentiality | (C) Lucent Sky AVM analyzes the source code of the products to identify potential locations in the code where sensitive information is stored in an insecure manner, such as storing sensitive information without encryption or with obsolete encryption technologies. | Customers should use Lucent Sky AVM in addition to automated and/or manual reviews. |
| Part I (2)(f) — Data integrity | (C) Lucent Sky AVM analyzes the source code of the products to identify potential locations in the code where data integrity verification is missing or performed inadequately, such as verifying hashes with obsolete algorithms. | Customers should use Lucent Sky AVM in addition to automated and/or manual reviews. |
| Part I (2)(h) — Availability of essential functions | (C) Lucent Sky AVM analyzes the source code, binary files, and dependencies of the products to identify and remediate vulnerabilities that may cause the reduction or loss of the products' availability, such as potential race conditions and improper exception handling. | Customers must ensure applicable parts of the products are properly analyzed by Lucent Sky AVM, and should use Lucent Sky AVM in addition to automated and/or manual reviews. |
| Part I (2)(j) — Attack surface reduction | (C) Lucent Sky AVM analyzes the source code and binary files of the products to identify functionalities that are exposed publicly or externally. | Customers should evaluate whether the identified public and/or external functionalities are necessary, and should use Lucent Sky AVM in addition to automated and/or manual reviews. |
| Part I (2)(k) — Incident mitigation | (C) Lucent Sky AVM analyzes the source code, binary files, and dependencies of the products to identify missing exploitation mitigation mechanisms, such as disabling security mechanisms, and identify potential locations in the code where sensitive information is stored in an insecure manner, such as storing sensitive information without encryption or with obsolete encryption technologies. | Customers must ensure applicable parts of the products are properly analyzed by Lucent Sky AVM, and should use Lucent Sky AVM in addition to automated and/or manual reviews. |
| Part I (2)(l) — Security monitoring | (C) Lucent Sky AVM analyzes the source code and binary files of the products to identify potential locations where logging is done insecurely, such as when using untrusted input in log entries. | Customers must ensure applicable parts of the products are properly analyzed by Lucent Sky AVM, and should use Lucent Sky AVM in addition to automated and/or manual reviews. |
| Part II (1) — Software bill of materials | (S) Lucent Sky AVM analyzes the source code, binary files, and dependencies of the products to identify software components and dependencies. The identified components are checked for known vulnerabilities and can be used to create a software bill of materials of the products. | Customers must ensure applicable parts of the products are properly analyzed by Lucent Sky AVM. |
| Part II (2) — Vulnerability remediation | (S) Lucent Sky AVM analyzes the source code, binary files, and dependencies of the products to identify both known and unknown vulnerabilities. Lucent Sky AVM can automatically remediate vulnerabilities by generating Instant Fixes, production-ready code segments that replace the vulnerable code, and help developers remediate vulnerabilities by generating remediation guidance or update guidance for vulnerabilities. | Customers must ensure applicable parts of the products are properly analyzed by Lucent Sky AVM. |
| Part II (3) — Security testing | (S) Lucent Sky AVM can be used throughout the software development lifecycle and within an continuous integration processes to automatically analyze the source code, binary files, and dependencies of the products to identify both known and unknown vulnerabilities. | Customers must ensure applicable parts of the products are properly analyzed by Lucent Sky AVM. |
(S) Lucent Sky AVM contributes significantly to the conformity of the requirement, with minimum prerequisites or additional work.
(C) Lucent Sky AVM contributes to the conformity of the requirement, but at least some prerequisites or additional work are required.
About Lucent Sky AVM
Lucent Sky AVM accelerates and scales the identification and remediation of common categories of application vulnerabilities, such as those in OWASP Top 10 and PCI DSS. It is compatible with .NET, ASP, Android, C/C++, Go, iOS, Java, PHP, Python, Ruby, Rust, Visual Studio applications, as well as static websites and many cross-framework languages and data interchange languages. Lucent Sky AVM is accessible through a web interface, IDE plugins, CLI, and API, and integrates with most common ALM and CI systems.