In December 2024, the Cyber Resilience Act (CRA) entered into force in Europe, marking the beginning of the transition period for organizations and businesses to adapt to the new cybersecurity requirements. This regulatory document aims to enhance quality and security standards by requiring manufacturers and retailers to support and update digital components throughout the lifecycle of their products. The CRA covers both hardware and software, affecting not only EU manufacturers but importers, so the US companies that operate or sell their products in EU countries will be affected, too. The legislation will profoundly impact several market segments, such as Internet of Things products. While companies have until 2027, when compliance obligations become mandatory, the CRA marks an important step in recognizing the importance of cybersecurity for a great range of products and creating structures that will protect the interests of the end customers. Anton Snitavets, a Lead Information Security Engineer at Doumo, a Senior member of IEEE, a fellow member of the Hackathon Raptors community, and a Certified Information Security Systems Professional, explains what the modern approach to cybersecurity entails and what factors businesses should take into account to protect their customers and themselves.
The shift towards an integrated approach
Anton Snitavets points out that cybersecurity has become an integral part of their operations for more businesses, not just some protective measures or security rules imposed on existing processes. This is particularly true for companies that specialize in software development. Anton encountered a similar issue in 2017 when he started working at Aras Corp as a DevSecOps Engineer. To improve the software development process, he implemented the Secure Software Development Lifecycle (SSDLC), which made the software development process significantly more secure by adding new means of detecting and eliminating cybersecurity risks before they lead to negative consequences. He integrated the existing software solutions along with the custom ones he developed himself, making the software development process more productive and reliable. Specifically, he improved the process of developing updates for the Aras Innovator Software, an engineering product management solution used by Aras customers, with major engineering companies such as General Motors and Airbus among them. As a result, within 3.5 years, he significantly increased product quality, eliminated multiple vulnerabilities in the software, and increased its stability and security, which is especially important for a software solution used for complex engineering tasks. After joining Doumo recently, he is implementing similar approaches as a Lead Information Security Engineer, working on integrating the SSDLC with cloud infrastructure.
“The fact that more companies, similar to the two mentioned above, focus significant effort on making the development processes more secure highlights that for security measures to be efficient, they need to become an integral part of the software development cycle,” he comments. “The companies that have not already implemented this approach will need to learn to apply it throughout the development lifecycle.”
Developing tailored solutions
This shift towards a more integral approach to information security leads to another significant change. Businesses must develop tailored solutions that answer their needs precisely instead of relying on readily created ones. “Ready-made solutions do not often cover all cases and scenarios, leaving out specific vulnerabilities unprotected or, conversely, wasting company resources on measures that aren’t necessary in a particular case,” explains Anton Snitavets. “This is why companies need solutions that account for the specifics of their operations and related common risks.” His experience provides enough examples of why developing tailored solutions and accounting for specific situations and threats is essential, as it improves the development process and makes the product more secure for the end user. At Aras Corp, he developed and implemented a solution for code analysis that allowed developers to detect vulnerabilities such as SQL injections and path traversal risks in the product code, as well as vulnerabilities specific to a particular product. After the analyzer was implemented, several dozen vulnerabilities were detected and fixed. In addition, implementing the analyzer made the product safer and secure for end users to develop custom solutions, enabling them to detect and resolve potential risks in the early stages of development.
Anton Snitavets mentions one more critical concept companies will have to adopt: they will have to focus on preventing threats and acting proactively instead of focusing solely on protecting themselves from known threats and responding to breaches that have already happened. To achieve this goal, a flexible system of analysis and reporting is required, which will allow the company to monitor the current state of the infrastructure, predict and detect potential risks, and eliminate them before they cause any losses. This is the type of work Anton Snitavets conducted at Jabil Inc., where he worked as a Cloud Security Engineer from 2022. To improve the security compliance posture in the company, he developed an original reporting framework to promptly get informed about the security state of the cloud resources. To do so, he adapted existing security standards. He integrated a software solution to aggregate data about the state of the cloud information that had a crucial role in company operations, helping to keep its security compliance rating at the highest possible level.
The necessity of continuous learning
It is important to add that technology is constantly moving forward, and along with new protective measures, new threats emerge. “While cybersecurity professionals develop new, more robust, and resilient ways to protect data and ensure the stable operations of the digital infrastructure, malicious actors find new attack vectors, trying to use emerging technology to their advantage,” explains Anton Snitavets. This is why it is necessary for a cybersecurity professional to learn continuously, both in theory and practice, exploring new methods and solutions and finding efficient ways to apply them to the tasks at hand.
Throughout his career, Anton Snitavets has followed this principle. Even while studying, he started working as a software developer, gaining experience that provided a solid foundation for his future career. He then worked continuously on acquiring professional certifications, including the Certified Information Systems Security Professional (CISSP), which is considered one of the most challenging cybersecurity certifications to obtain.
“It is important to combine acquiring formal certifications, which prove the professional skills of the individual, with a constant exploration of emerging technologies and putting newly acquired knowledge into practice,” explains Anton Snitavets. “Becoming a cybersecurity expert requires high dedication and discipline because the cost of mistakes can be significant.
One must constantly move forward and act proactively to implement efficient information security processes. New regulatory measures like CRA will push companies to adopt better security practices. However, even before becoming mandatory, companies must advance their approach to cyber security to protect themselves and their clients against emerging threats. “
