Product Software Security for CRA Readiness
RunSafe’s Approach to Vulnerability Risk and Lifecycle Security
As products have become increasingly software-driven and connected, vulnerabilities in embedded and third-party software introduce real security risk. Manufacturers’ security practices must maintain continuous visibility into all software inside their products, understand vulnerability exposure, and manage cybersecurity risk across the entire product lifecycle. This shift requires more automated processes and tooling to track software, assess risk, and maintain security after a product release. Further, RunSafe protects at runtime against the exploitation of vulnerabilities even when a patch is not applied, dramatically reducing liability exposure.
New European Union Requirements
To address rising cybersecurity risks in connected devices, the European Union introduced the Cyber Resilience Act (CRA), establishing mandatory security requirements for products sold in the EU market. The regulation applies to products with digital elements — software such as embedded firmware, operating systems, applications, and third-party libraries. Manufacturers are expected to demonstrate:
- Visibility into software components
- Understanding of vulnerability exposure
- Risk-based remediation decisions
- Ongoing security management across the product lifecycle
“From our perspective, adding RunSafe means we have more opportunity to shrink the attack surface and reduce overall risks for our customers since security is now already built into our product.”
How RunSafe Supports CRA Readiness
RunSafe helps manufacturers close the operational gaps introduced by the CRA by providing the software visibility, risk clarity, and lifecycle security oversight required to demonstrate secure product development and ongoing vulnerability management.
Software Transparency
Knowing exactly what software is inside shipped products
- Automated build-time SBOM generation for firmware and software
- Full software inventory across firmware, operating systems, applications, and libraries
- Complete dependency tree visibility including third-party and open-source components
Vulnerability and Risk
Understanding which vulnerabilities actually create real risk
- Maps CVEs directly to software components identified in the SBOM
- Determines whether vulnerabilities are exploitable or theoretical risk
- Provides residual risk analysis to guide patch, mitigate, or monitor decisions
Product Lifecycle Visibility
Maintaining cybersecurity visibility throughout the product lifecycle
- Continuous SBOM generation tied to product builds to ensure accuracy
- Ongoing vulnerability monitoring against shipped product versions
- Options to make vulnerabilities non-exploitable when patches are delayed or unavailable
A Stroger Cybersecurity Position
RunSafe provides technical evidence and reporting that supports these elements.
| Component | Supported by RunSafe |
|---|---|
| Cybersecurity Risk Assessment Report | ✓ |
| Secure Development Lifecycle Documentation | ✓ |
| Software Bill of Materials (SBOM) | ✓ |
| Vulnerability Management & Monitoring Plan | ✓ |
| Incident Response & Regulatory Reporting Procedure | ✓ |
| Supply Chain Due Diligence Records | ✓ |
| Security Update & Support Policy | ** |
| EU Declaration of Conformity & CE Marking File | ✓ |
** Subject to RunSafe customers’ practice
Why RunSafe?
RunSafe helps manufacturers provide clear visibility into the software inside their products and understand which vulnerabilities create real risk. By delivering continuous insight into software components, vulnerability exposure, and product lifecycle security, RunSafe enables manufacturers to demonstrate secure product development and maintain the cybersecurity assurance required under the CRA.
Latest Resources
You Can’t Patch Your Way Out of AI-Accelerated Cyber Risk
“Trying to chase one bug at a time” isn’t a cybersecurity strategy, as anyone who has tried to keep up with patch cycles can tell you. Recently, Joe Saunders and Doug Britton joined Paul Ducklin on Exploited: The Cyber Truth for a conversation on what Claude Mythos...
RunSafe Leaders Share Their Take on Mythos, AI, and the Future of Product Security
AI is changing the speed and scale of vulnerability discovery. With Anthropic’s Claude Mythos showing how quickly AI can uncover vulnerabilities and zero days, product security teams are facing a new reality: the time between finding a vulnerability and turning it...
AI Medical Device Security: Why Build Vs. Borrow Is Now A Risk Decision
Key Takeaways AI-assisted development is accelerating the creation of medical device software while introducing new code security risks. Open source and third-party components increase software supply chain complexity and vulnerability exposure. Medical device teams...