What is composition?
Composition is the practice of building an embedded product by assembling various software and hardware components: operating system, libraries, firmware, applications, microprocessors, microcontrollers… An embedded product is rarely monolithic. It’s made up of a collection of components, each playing a specific role in the overall system.
The art of assembling these components in a coherent, secure, and maintainable way is what we call composition (and software composition when we focus only on the software layers of the system).
This modular approach allows the system to be structured around independent building blocks, while ensuring they work together reliably.
Why is software composition a response to the CRA?
Each component can carry part of the compliance burden. By selecting the right software bricks, you can delegate some of the Cyber Resilience Act requirements to lower layers.
In other words, if a component is already compliant with a CRA requirement, the system that integrates it can benefit (provided the integration is done properly).
Composition helps save time when assessing compliance for layers you don’t control directly, reduces risk, and lets you focus on the differentiating elements of your product.
4 best practices for software composition analysis security
1. Master your SBOM from the start
The Software Bill of Materials (SBOM) isn’t just useful for vulnerability management. It’s essential from the design phase. It helps map out software components, track their origin, version, and maintainer, and anticipate supply chain risks.
2. Minimize attack surface by limiting components
Another best practice: reduce the embedded system’s functional scope. Every unnecessary component is a potential attack surface.
For instance, a customized Yocto distribution will allow you to include only what’s needed. If you don’t need IPv6 for instance, simply leave it out.
3. Choose maintained and secure components
Supply chain attacks in open source are on the rise. For instance, a compression library was compromised by a malicious contributor, introducing a vulnerability in SSH. Other cases involve compromised Node.js libraries.
The takeaway: avoid unmaintained or solo-developed components. Favor active, well-documented projects with proper code review processes.
4. Integrate with discipline
Even if each component is secure, poor integration can introduce vulnerabilities. For example, a well-configured Secure Boot can be bypassed if the U-Boot command line remains active. Security must be treated as a chain of trust, from the bootloader to the applications.
Software updates: a case study in composition for the CRA
The ability to update an embedded system is an indirect requirement of the CRA: no exploitable vulnerabilities must remain in the product. This means the entire software stack (firmware, OS, and applications) must be updatable in a secure and reliable way.
How does this relate to software composition? Update mechanisms themselves are components to be integrated into your system. At The Embedded Kit, we’ve integrated tools like Mender and SWUpdate into our Yocto-based Linux distribution. These components handle update management using full-partition strategies and signature mechanisms (private/public key) to ensure image authenticity.
But as with any component, integration must be rigorous. For example, the public key used to verify updates must be protected. If compromised, the entire update chain becomes vulnerable. That’s why we pair these tools with Secure Boot, another essential brick that validates each boot stage and protects the keys involved.
Software updates are not a standalone feature; they’re a concrete example of software composition, where each brick (update tool, signature mechanism, Secure Boot, etc.) plays a role in system compliance and resilience.
Software composition analysis security tools
To go further in mastering your composition, it’s essential to have software composition analysis tools.
At The Embedded Kit, we’ve developed CVE Scan, a tool dedicated to vulnerability detection and management. It works with Yocto, Buildroot, Zephyr, and even with applications or websites associated with your embedded system.
CVE Scan allows you to:
- Detect known vulnerabilities
- Track their evolution
- Manage their remediation throughout the product lifecycle
- And comply with the Cyber Resilience Act requirements
Conclusion: Compose to secure and accelerate compliance
The Cyber Resilience Act sets high expectations, but each requirement can be addressed with the right technical solution. The key is smart composition.
Software composition offers a modular, scalable, and secure approach for device manufacturers. But it also demands discipline in selecting, integrating, and maintaining components.
By relying on trusted, well-integrated bricks and managing their lifecycle, manufacturers can save time, reduce risk, and prepare for CRA compliance today.
That’s why at The Embedded Kit, we offer ready-to-use components. Among those, our Yocto-based Linux distribution includes:
- Secure update mechanisms
- Secure Boot
- Secure Storage
- Connected fleet management
- Automated testing with Pluma
- Vulnerability detection and lifecycle management with CVE Scan
Check out our Welma Tech Tour to learn more or get in touch with our team.
