After a recent tip on documenting your reasoning when ignoring a CVE in composer audit, I got some great feedback from a reader.
Aki Rose Braun, a consultant working on European and international technical standards, pointed out that this practice is about to become more than just a good habit. It will be required by the EU's Cyber Resilience Act (CRA).
Under that legislation, internal technical documentation regarding existing CVEs will be mandatory if you choose not to remediate them.
If you sell software to customers in Europe, compliance deadlines begin later this year. And even if you have no European customers today, this is a healthy practice to get used to.
As I've already argued, it's good for your own team. The legal compliance aspect is just one added reason to do it.
Here to help,
Joel
P.S. Need help thinking through your security and compliance practices? Schedule a call with us.
