I do not know how to feel about this. A part of me as a user welcomes it, but a part of me as a programmer is cursing the European Union for making my life harder.
Cyber resilliance act is a regulation of the European Union to promote the cyber security of all products with digital elements. That is our creations as programmers whether this has to do with our software for devices or computers or microcontrollers or industrial applications.
Here is a relevant article that says it all:
According to the relevant article of publyon.com we have almost 4 years to adapt to this regulation but I believe it is better to know where you are heading from now and face what ever is to come in our way immediately. I believe so, that we have to face all the things from the beggining than to postpone for later something that can be done now. There is a law (I don't remember who introduced it) that says that a work tends to take as much as your available time for it. Let's reduce this time to a matter of months - a year at the top.
I think it's time to form a consortium to face it and lift the weights in the side of @Erel because if he will face everything by himself he will end up cracking and that may result for us in loosing his valuable support with B4X universe that helped us in our everyday work.
You can Google the "Cyber Resilience Act" and when you will get to the relevant page of the European Union download the proposal. In the annexes there are all the obligations of the various parts in the chain of software availability to the users either you are acting as a manufacturer/programmer, or a reseller etc.
Starting this initiative of the B4X consortium, here are my first understandings and proposals for this act:
1) All the code that we have contributed to this forum is governed with the open source adaptations by the EU in the proposal for this regulation. That is because we have supplied the code and we have made it freely available or donationware (the total amount of earnings is less than the amount spent to create it/maintain it). Some creators of wrappers of course of already made libaries have to perform a reverse engineering in the initial libraries (if they are compiled) that were wrapped and have to check them thorougly themselves (and include in the zip files the version checked). This is in favour of b4xlibs which I suppose we have to use from now on.
2) The three open source products out of the 4 of the B4X universe are not governed (according to my understanding) by the open source adaptations by the EU in the proposal for this act, because their code is partly available to the public. We have to help @Erel face this so that leads me to number 3 and the following proposals.
3) Each software according to the proposed regulation has to have a bill of materials. That is a tree of what it is made of which has to be available to the end user. I suppose in order to help Erel adapt to this, and since he cannot be sure (until the suppliers of the materials have adapted to this regulation) about the materials used in the B4X IDEs we have to help him lift this weight. I propose to shift the B4X universe to the B4X universe. According to my understanding all the IDEs use a library that exposes an object that @Erel uses as the programming window as well as a treeview and a gridview available in .NET and I cannot be completely sure about the search. I believe most of the previous components are already available in the B4J IDE and I also believe that we can develop an open source library similar to the coding window based in something like the HTML Editor View since all it uses is a { contenteditable="true" } directive in the code of the HTML. With the help of some css+javascript and something like that I believe we can make it all together shifting the creation of the B4X IDEs to the B4X universe (and especially B4J) and that is recursive to the next versions of the IDEs. This way @Erel will gain full control over the IDEs and we will help him to help us. Also a plus is that B4X will be coss-platform if we do this.
4) @Erel you already have available an e-mail address for contact on this site and maybe you can use the options available by the EU in the proposed regulation in order to create also a mail address for contact (in order not to expose your real address because of the situation in Israel). You can do this by making available a P.O.Box. or by setting a trusted attorney that will handle all the written communications as a median with you.
5) As far as it has to do with the security updates for software created by the 2 IDEs (B4i & B4A) the stores handle this automatically. For software created by the B4R IDE (obviously for MCUs that are connected to the internet) we have to create auto updating functions like OTA Update (we have to see how to do this over https because it is not done this way now). For B4J all we have to do is to create a single program that will only be the updater which will initially download the full software (as it is created as a standalone package) and place it in the XUI.DefaultFolder and run it from there when it is first installed and then from the second time and on it will check if there are new updates and delete the present folder of the "installed" software, download the update and unzip it "installing it" there (XUI.DefaultFolder). It is obvious that the data of the application have to be stored in a seperate folder. or the XUI.DefaultFolder and the software has to be "installed" in a sub-folder of this folder.
6) For the B4R IDE there has to be a fix for the https access to on-line APIs which with every new calling of the API limits by something the available memory. I do not know why this is done but until now I had ended up using only http access which mitigates this but is considered obviously unsafe.
7) The 3 out of 4 IDEs (in the hosted builder case) or the 4 out of 4 IDEs (in the local builder case) provide local access to the transmission of data (nothing to mitigate so for them and then again maybe not). For the B4i IDE that transmits to the hosted builder the project maybe an ecryption must be used in the communication but I do not know if it is a must do.
8) Most of the other requirement are almost straight forward but I have some questions about what all of you think about this and that leads me to the next part of this post.
QUESTIONS:
1) The regulation mentions that "Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks". Although this sounds almost totally comprehensible I cannot be sure if something more is meant in this sentence like advanced obfuscation. What do you all think?
2) The regulation mentions that "Products with digital elements shall be delivered without any known exploitable vulnerabilities". Does this mean that for 24/7 we have to contact or have/apply to our projects white hat hacker knowledge?
3) The regulation mentions that "...protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, as well as report on corruptions". How do we do this? I mean if our software is publicly available and a malitious user can see our code+keys for encryption/decryption if no advanced obfuscation is used?
4) The regulation mentions that "...apply effective and regular tests and reviews of the security of the product with digital elements". Does this mean "run, my feet, run, in order not for my b*tt to shit on you..." in the sector of cyber security, 24/7, which leads us to question number 2? A proposal for both of these questions, is to create the B4X consortium that we will all pay monthly some money in order to hire some known cyber security company to do this work for all of us and notify us in every case + advise us on what to do...
5) The regulation mentions that "...protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms". Again! How this is done if a malitious user can see our code and get the the keys of encryption/decryption if no advanced obfuscation is used? This also leads to the proposal of question number 4. It is obvious to my eyes that in the case of just stored data the password of the user can be used to encrypt the data and with every change of password decrypt - re-encrypt it. For transmited though? What do we do? We have to know the decryption password in server side. I know, someone could say keep a copy of the user's password on-line, and I would ask if this is safe enough which in my eyes it is not.
Any more suggestions/questions by anyone?
Cyber resilliance act is a regulation of the European Union to promote the cyber security of all products with digital elements. That is our creations as programmers whether this has to do with our software for devices or computers or microcontrollers or industrial applications.
Here is a relevant article that says it all:
European Cyber Resilience Act: can new requirements for products strengthen your organization’s cybersecurity resilience?
Analysis of the European Cyber Resilience Act and its implications and opportunities for European businesses.
According to the relevant article of publyon.com we have almost 4 years to adapt to this regulation but I believe it is better to know where you are heading from now and face what ever is to come in our way immediately. I believe so, that we have to face all the things from the beggining than to postpone for later something that can be done now. There is a law (I don't remember who introduced it) that says that a work tends to take as much as your available time for it. Let's reduce this time to a matter of months - a year at the top.
I think it's time to form a consortium to face it and lift the weights in the side of @Erel because if he will face everything by himself he will end up cracking and that may result for us in loosing his valuable support with B4X universe that helped us in our everyday work.
You can Google the "Cyber Resilience Act" and when you will get to the relevant page of the European Union download the proposal. In the annexes there are all the obligations of the various parts in the chain of software availability to the users either you are acting as a manufacturer/programmer, or a reseller etc.
Starting this initiative of the B4X consortium, here are my first understandings and proposals for this act:
1) All the code that we have contributed to this forum is governed with the open source adaptations by the EU in the proposal for this regulation. That is because we have supplied the code and we have made it freely available or donationware (the total amount of earnings is less than the amount spent to create it/maintain it). Some creators of wrappers of course of already made libaries have to perform a reverse engineering in the initial libraries (if they are compiled) that were wrapped and have to check them thorougly themselves (and include in the zip files the version checked). This is in favour of b4xlibs which I suppose we have to use from now on.
2) The three open source products out of the 4 of the B4X universe are not governed (according to my understanding) by the open source adaptations by the EU in the proposal for this act, because their code is partly available to the public. We have to help @Erel face this so that leads me to number 3 and the following proposals.
3) Each software according to the proposed regulation has to have a bill of materials. That is a tree of what it is made of which has to be available to the end user. I suppose in order to help Erel adapt to this, and since he cannot be sure (until the suppliers of the materials have adapted to this regulation) about the materials used in the B4X IDEs we have to help him lift this weight. I propose to shift the B4X universe to the B4X universe. According to my understanding all the IDEs use a library that exposes an object that @Erel uses as the programming window as well as a treeview and a gridview available in .NET and I cannot be completely sure about the search. I believe most of the previous components are already available in the B4J IDE and I also believe that we can develop an open source library similar to the coding window based in something like the HTML Editor View since all it uses is a { contenteditable="true" } directive in the code of the HTML. With the help of some css+javascript and something like that I believe we can make it all together shifting the creation of the B4X IDEs to the B4X universe (and especially B4J) and that is recursive to the next versions of the IDEs. This way @Erel will gain full control over the IDEs and we will help him to help us. Also a plus is that B4X will be coss-platform if we do this.
4) @Erel you already have available an e-mail address for contact on this site and maybe you can use the options available by the EU in the proposed regulation in order to create also a mail address for contact (in order not to expose your real address because of the situation in Israel). You can do this by making available a P.O.Box. or by setting a trusted attorney that will handle all the written communications as a median with you.
5) As far as it has to do with the security updates for software created by the 2 IDEs (B4i & B4A) the stores handle this automatically. For software created by the B4R IDE (obviously for MCUs that are connected to the internet) we have to create auto updating functions like OTA Update (we have to see how to do this over https because it is not done this way now). For B4J all we have to do is to create a single program that will only be the updater which will initially download the full software (as it is created as a standalone package) and place it in the XUI.DefaultFolder and run it from there when it is first installed and then from the second time and on it will check if there are new updates and delete the present folder of the "installed" software, download the update and unzip it "installing it" there (XUI.DefaultFolder). It is obvious that the data of the application have to be stored in a seperate folder. or the XUI.DefaultFolder and the software has to be "installed" in a sub-folder of this folder.
6) For the B4R IDE there has to be a fix for the https access to on-line APIs which with every new calling of the API limits by something the available memory. I do not know why this is done but until now I had ended up using only http access which mitigates this but is considered obviously unsafe.
7) The 3 out of 4 IDEs (in the hosted builder case) or the 4 out of 4 IDEs (in the local builder case) provide local access to the transmission of data (nothing to mitigate so for them and then again maybe not). For the B4i IDE that transmits to the hosted builder the project maybe an ecryption must be used in the communication but I do not know if it is a must do.
8) Most of the other requirement are almost straight forward but I have some questions about what all of you think about this and that leads me to the next part of this post.
QUESTIONS:
1) The regulation mentions that "Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks". Although this sounds almost totally comprehensible I cannot be sure if something more is meant in this sentence like advanced obfuscation. What do you all think?
2) The regulation mentions that "Products with digital elements shall be delivered without any known exploitable vulnerabilities". Does this mean that for 24/7 we have to contact or have/apply to our projects white hat hacker knowledge?
3) The regulation mentions that "...protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, as well as report on corruptions". How do we do this? I mean if our software is publicly available and a malitious user can see our code+keys for encryption/decryption if no advanced obfuscation is used?
4) The regulation mentions that "...apply effective and regular tests and reviews of the security of the product with digital elements". Does this mean "run, my feet, run, in order not for my b*tt to shit on you..." in the sector of cyber security, 24/7, which leads us to question number 2? A proposal for both of these questions, is to create the B4X consortium that we will all pay monthly some money in order to hire some known cyber security company to do this work for all of us and notify us in every case + advise us on what to do...
5) The regulation mentions that "...protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms". Again! How this is done if a malitious user can see our code and get the the keys of encryption/decryption if no advanced obfuscation is used? This also leads to the proposal of question number 4. It is obvious to my eyes that in the case of just stored data the password of the user can be used to encrypt the data and with every change of password decrypt - re-encrypt it. For transmited though? What do we do? We have to know the decryption password in server side. I know, someone could say keep a copy of the user's password on-line, and I would ask if this is safe enough which in my eyes it is not.
Any more suggestions/questions by anyone?
Last edited: