CRA in practice
Erlang/OTP’s journey toward CRA compliance
<p><a href="https://github.com/erlang/otp">Erlang/OTP</a> is an open source programming language designed for the development of concurrent and distributed systems. Created 40 years ago and open sourced in 1998, Erlang is used by <a href="https://www.ericsson.com/en">Ericsson</a>, <a href="https://www.cisco.com/">Cisco</a>, <a href="https://www.whatsapp.com/">WhatsApp</a>, <a href="https://discord.com/">Discord</a>, and <a href="https://www.klarna.com/se/">Klarna</a> for mission critical applications as well as loved by a broad community of open source developers. With the advent of the Cyber Resilience Act (CRA), the Erlang/OTP team, jointly with the <a href="https://erlef.org/">Erlang Ecosystem Foundation</a> (EEF), began to prepare the project to meet CRA requirements.
In this presentation, Kiko will describe and dive into the various supply chain best practices implemented by the Erlang/OTP project: the creation of Source Software Bill-of-Materials (Source SBOMs), automated vulnerability scanning of dependencies using <a href="https://osv.dev/">OSV</a>, creation of <a href="https://github.com/openvex/spec">OpenVEX statements</a>, vulnerability handling in collaboration with the <a href="https://cna.erlef.org/">EEF as CNA</a>, and contributions to towards other open source projects [[1],[2],[3]] to improve the security posture of the ecosystem. Moreover, Kiko will provide an insight into the lessons learned from implementing these measures in an open source project.</p>
Additional information
| Live Stream | https://live.fosdem.org/watch/ua2114 |
|---|---|
| Type | devroom |
| Language | English |
More sessions
| 1/31/26 |
<p>Opening remarks and housekeeping.</p>
|
| 1/31/26 |
<p>Deutsche Bahn, with its 230,000 employees and hundreds of subsidiaries, is far from an average organization. Yet it faces the same challenges under the CRA as many others. In this session, we will show how we connected the concrete requirements of CRA compliance with our broader effort to bring transparency to our software supply chains. This forms the basis for security and license compliance processes, as well as for proactively shaping the ecosystems we depend on.</p> <p>We will outline ...
|
| 1/31/26 |
<p>EV charging stations expose a uniquely difficult CRA landscape: A single physical device can be accessed through very different user paths: ISO 15118 (Plug&Charge), RFID cards, mobile apps, credit-card terminals, and OEM-backends. Between the end user and the actual product manufacturer sit multiple intermediaries (CSMS, OEM cloud, roaming hubs, payment processors), each with partial control over configuration, telemetry, and security posture. How to deliver all the CRA obligations across ...
|
| 1/31/26 |
<p>Embedded products are at the core of the Cyber Resilience Act, yet they face unique compliance challenges. Hardware vendors ship heavily patched BSPs, software modules often diverge from upstream, and reliable identification of modified components is still far from solved. For teams building products on top of these layers, translating CRA requirements into daily engineering practice is not straightforward.</p> <p>This talk provides a practical overview of where CRA compliance currently ...
|
| 1/31/26 |
<p>The Cyber Resilience Act (CRA) is reshaping expectations around open source software, introducing new requirements for security, traceability, and documentation. While maintainers are responsible for technical compliance, community managers play a critical but often overlooked role in helping projects adapt. This session is designed for community managers, project maintainers, stewards, and open source contributors interested in practical CRA readiness. The focus is on practical enablement by ...
|
| 1/31/26 |
<p>This panel brings together experts to discuss the practical realities of implementing the CRA steward role, as defined by the regulation, and how organisations are approaching its execution. Panelists will explore how the concept of CRA stewards is being interpreted, what responsibilities are emerging in practice, and the challenges organisations face in preparing for this new function. They will also highlight which elements remain unclear, what support or guidance is still needed, and how ...
|
| 1/31/26 |
<p>Security teams are currently drowning in vulnerability data, but the Vulnerability Exploitability eXchange (VEX) offers a solution by providing machine-readable clarity on which exploits actually matter. This technology is rapidly evolving from a "nice-to-have" efficiency tool into a critical compliance enabler for the EU Cyber Resilience Act (CRA), which mandates effective vulnerability handling for the European market.</p> <p>In this session, Georg and Rao present the findings from the VEX ...
|
