Skip to content

CRA-ASSESSMENT.md

Latest commit

Β 

History

History
273 lines (203 loc) Β· 22.9 KB

CRA-ASSESSMENT.md

File metadata and controls

273 lines (203 loc) Β· 22.9 KB

Hack23 Logo

πŸ›‘οΈ Hack23 Homepage β€” CRA Conformity Assessment

Evidence-Driven Conformity Through Systematic Assessment
EU Cyber Resilience Act Compliance for Corporate Website

Owner Version Effective Date Review Cycle

License OpenSSF Scorecard Verify and Deploy

πŸ“‹ Document Owner: CEO | πŸ“„ Version: 1.1 | πŸ“… Last Updated: 2026-04-21 (UTC) πŸ”„ Review Cycle: Quarterly | ⏰ Next Review: 2026-07-21 🏷️ Classification: Public Low Standard

🎯 Purpose Statement

This CRA conformity assessment documents how the Hack23 Homepage (hack23.com) addresses EU Cyber Resilience Act requirements through systematic self-assessment. As a static HTML/CSS website with no server-side code, backend database, or user data processing, the homepage has a minimal attack surface and low CRA risk profile.

As a cybersecurity consulting company, Hack23 AB applies the same rigorous assessment methodology to its own corporate website, demonstrating the security-first approach that clients can expect from our consulting services.

β€” James Pether SΓΆrling, CEO/Founder

πŸ“š Related Architecture Documentation

Document Focus Description
πŸ›οΈ Architecture C4 Model System structure and deployment
πŸ›‘οΈ Security Architecture Security Defense-in-depth security controls
🎯 Threat Model Threats STRIDE/MITRE ATT&CK threat analysis
πŸ“Š Data Model Data Content model and data structures
πŸ”„ Flowchart Processes CI/CD and content workflows
πŸ“ˆ State Diagram States Deployment and content lifecycle
🧠 Mindmap Concepts System conceptual relationships
πŸ’Ό SWOT Strategy Strategic analysis
πŸ”„ Workflows CI/CD GitHub Actions workflow documentation (10 workflows)
πŸ”„ BCP Plan Resilience Business continuity & recovery
πŸ’° Financial & Security Plan Cost TCO & security investment
πŸ”š End-of-Life Strategy Lifecycle Technology lifecycle management
🏷️ Classification Data Security classification framework

πŸ“š Reference Implementations

The following Hack23 AB projects demonstrate completed CRA assessments:

πŸš€ Project πŸ“¦ Product Type 🏷️ CRA Classification πŸ“‹ Assessment Status πŸ”— Reference Link
πŸ•΅οΈ CIA (Citizen Intelligence Agency) Political transparency platform Standard (Non-commercial OSS) βœ… Complete πŸ“„ CRA Assessment
⚫ Black Trigram Korean martial arts game Standard (Non-commercial OSS) βœ… Complete πŸ“„ CRA Assessment
πŸ›‘οΈ CIA Compliance Manager Compliance automation tool Standard (Non-commercial OSS) βœ… Complete πŸ“„ CRA Assessment
🌐 Hack23 Homepage Corporate website Standard (Non-commercial OSS) βœ… Complete This document

1️⃣ Project Identification

Supports CRA Annex V Β§ 1 - Product Description Requirements

Field Value
πŸ“¦ Product Hack23 Homepage (hack23.com)
🏷️ Version Continuous deployment from main branch
πŸ”— Repository https://github.com/Hack23/homepage
πŸ“§ Security Contact [email protected]
🎯 Purpose Corporate website (1,353 HTML files = 105 English source pages localised across 14 languages) showcasing Hack23 AB's cybersecurity consulting services, 7 open-source projects, and the public ISMS portfolio (transparency-by-design)

πŸ“‹ Evidence Links:

  • πŸ—οΈ System Architecture: ARCHITECTURE.md β€” Complete C4 model architecture
  • πŸ” Security Architecture: SECURITY_ARCHITECTURE.md β€” Defense-in-depth security implementation
  • πŸ›‘οΈ Future Security Vision: FUTURE_SECURITY_ARCHITECTURE.md β€” Security enhancement roadmap
  • 🎯 Threat Model: THREAT_MODEL.md β€” STRIDE/MITRE ATT&CK threat analysis
  • πŸ“Š Data Architecture: DATA_MODEL.md β€” Content model and data structures
  • πŸ”„ Process Workflows: FLOWCHART.md β€” CI/CD and content workflows
  • πŸ”§ CI/CD Workflows: WORKFLOWS.md β€” GitHub Actions pipeline documentation
  • 🧠 System Overview: MINDMAP.md β€” Conceptual system relationships
  • 🎯 Strategic Analysis: SWOT.md β€” Strategic assessment

πŸ“Š Project Status & Quality Badges:

GitHub Release OpenSSF Scorecard SLSA 3

2️⃣ CRA Scope & Classification

Supports CRA Article 6 - Scope and Article 7 - Product Classification Assessment

🏒 CRA Applicability:

Non-commercial OSS

🌐 Distribution Method:

Community

πŸ“‹ CRA Classification:

Standard

πŸ“ CRA Scope Justification: The Hack23 Homepage is a static HTML/CSS website with no server-side code execution, no database, no user authentication, and no personal data processing. It serves purely informational content via AWS S3 + CloudFront CDN. As non-commercial open-source software distributed via GitHub under Apache 2.0 license, it falls under non-commercial OSS with Standard CRA classification enabling self-assessment approach.

πŸ“‹ Classification Evidence:

πŸ” Minimal Attack Surface:

  • No server-side code execution (static HTML/CSS only)
  • No user input processing (no forms, no JavaScript input handling)
  • No authentication or session management
  • No database or data persistence
  • No API endpoints
  • Content served read-only via CDN

3️⃣ Technical Documentation

Supports CRA Annex V Β§ 2 - Technical Documentation Requirements

πŸ—οΈ CRA Technical Area πŸ“ Implementation Summary πŸ“‹ Evidence Location
🎨 Product Architecture (Annex V § 2.1) Static HTML5/CSS3 website deployed on AWS S3 + CloudFront CDN with C4 architecture documentation ARCHITECTURE.md + SECURITY_ARCHITECTURE.md + MINDMAP.md
πŸ“¦ SBOM & Components (Annex I Β§ 1.1) Minimal dependencies (static HTML/CSS, Node.js build tools for minification). SLSA Level 3 build attestations for releases GitHub Attestations + Latest Release
πŸ” Cybersecurity Controls (Annex I Β§ 1.2) No server-side code; security via AWS CloudFront (TLS 1.3, security headers, DDoS protection), GitHub Actions hardening (StepSecurity), supply chain security (OpenSSF Scorecard) SECURITY_ARCHITECTURE.md + THREAT_MODEL.md
πŸ›‘οΈ Supply Chain Security (Annex I Β§ 1.3) SLSA Level 3 attestations, Dependabot automation, OpenSSF Scorecard monitoring, SHA-pinned GitHub Actions WORKFLOWS.md + OpenSSF Scorecard
πŸ”„ Update Mechanism (Annex I Β§ 1.4) Continuous deployment via GitHub Actions with automated security scanning (CodeQL, dependency review), OWASP ZAP full scan post-deployment WORKFLOWS.md + FLOWCHART.md
πŸ“Š Security Monitoring (Annex I Β§ 1.5) OpenSSF Scorecard supply chain monitoring, GitHub Security Advisories, Dependabot alerts, OWASP ZAP scheduled scans, CloudFront access logging SECURITY_ARCHITECTURE.md
🏷️ Data Protection (Annex I § 2.1) No personal data processed. Static content only. AWS S3 AES-256 encryption at rest, TLS 1.3 in transit. Data classification per ISMS framework DATA_MODEL.md + CLASSIFICATION.md
πŸ“š User Guidance (Annex I Β§ 2.2) Comprehensive README, architecture documentation, security architecture, threat model, and ISMS policy references README.md + SECURITY_ARCHITECTURE.md
πŸ” Vulnerability Disclosure (Annex I Β§ 2.3) Public vulnerability disclosure policy via GitHub Security Advisories with coordinated disclosure process SECURITY.md + Vulnerability Management Policy

πŸ“‹ ISMS Integration:

4️⃣ Risk Assessment

Supports CRA Annex V Β§ 3 - Risk Assessment Documentation

Reference: πŸ“Š Risk Assessment Methodology and ⚠️ Risk Register

🚨 CRA Risk Category 🎯 Asset πŸ“Š Likelihood πŸ’₯ Impact (C/I/A) πŸ›‘οΈ CRA Control Implementation βš–οΈ Residual πŸ“‹ Evidence
Supply Chain Attack (Art. 11) Build pipeline & npm dependencies L M/M/L SLSA Level 3, Dependabot, OpenSSF Scorecard, SHA-pinned actions, StepSecurity harden-runner VL WORKFLOWS.md + Scorecard
Content Tampering (Art. 11) HTML/CSS website content L L/M/L S3 versioning, CloudFront origin access, branch protection, PR reviews, CI validation VL SECURITY_ARCHITECTURE.md
CDN/Infrastructure Attack (Art. 11) AWS CloudFront/S3 VL L/L/M AWS managed security, TLS 1.3, DDoS protection (Shield Standard), security headers VL SECURITY_ARCHITECTURE.md
CI/CD Pipeline Compromise (Art. 11) GitHub Actions workflows L L/M/L Least-privilege OIDC, hardened runners, pinned actions, branch protection rules VL WORKFLOWS.md
Website Defacement (Art. 11) Public website content L L/M/L S3 bucket policy (no public write), CloudFront OAI, Git-based content control, automated backups VL SECURITY_ARCHITECTURE.md

πŸ“Š Risk Assessment Summary:

  • Overall Risk Level: Very Low
  • Primary Justification: Static website with no server-side code, no user data processing, no authentication, served via managed AWS infrastructure with comprehensive supply chain security controls

5️⃣ Essential Cybersecurity Requirements

Supports CRA Annex I - Essential Cybersecurity Requirements Assessment

Annex I Part I β€” Security Properties

# Requirement Applicability Implementation Status
1.1 Products designed without known exploitable vulnerabilities βœ… Applicable Static HTML/CSS only; CodeQL SAST, OWASP ZAP DAST scanning; Dependabot SCA Compliant
1.2 Secure default configuration βœ… Applicable No configuration required by users; secure defaults in AWS CloudFront (TLS 1.3, security headers) Compliant
1.3 Protection against unauthorized access ⚠️ Limited No user authentication needed; AWS IAM with OIDC for deployment; S3 bucket policy prevents unauthorized writes Compliant
1.4 Protect confidentiality of data ⚠️ Limited All content is public by design; no confidential data stored; TLS 1.3 in transit, AES-256 at rest Compliant
1.5 Protect integrity of data βœ… Applicable Git version control, S3 versioning, CloudFront origin access identity, CI validation pipeline Compliant
1.6 Minimize data processing βœ… Applicable No personal data collected or processed; privacy-first design with no analytics tracking Compliant
1.7 Protect availability βœ… Applicable CloudFront CDN with 400+ edge locations; Route53 health checks; GitHub Pages DR fallback Compliant
1.8 Minimize negative impact on other services βœ… Applicable Static website cannot affect other services; no outbound connections; no API calls from served content Compliant

Annex I Part II β€” Vulnerability Handling

# Requirement Implementation Status
2.1 Identify and document vulnerabilities CodeQL SAST, OWASP ZAP DAST, Dependabot SCA, OpenSSF Scorecard supply chain analysis Compliant
2.2 Address vulnerabilities without delay Dependabot auto-PRs for dependency updates; vulnerability SLAs per Vulnerability Management Policy Compliant
2.3 Apply effective testing CI pipeline with HTMLHint, HTML5 validator, Linkinator, Lighthouse audits; OWASP ZAP full scan post-deployment Compliant
2.4 Disclose vulnerabilities SECURITY.md with GitHub Security Advisories; coordinated disclosure via [email protected] Compliant
2.5 Provide security updates Continuous deployment via GitHub Actions; automated dependency updates; SLSA Level 3 attestation for releases Compliant

6️⃣ Security Testing Evidence

Supports CRA Annex V Β§ 4 - Testing and Verification Documentation

Automated Security Testing Pipeline

Test Type Tool Schedule Scope Evidence
SAST CodeQL PR + Push HTML, JavaScript analysis Code Scanning
DAST OWASP ZAP Full Scan Post-deployment Live website https://hack23.com ZAP Workflow
SCA Dependabot Continuous npm dependencies Dependabot Alerts
Supply Chain OpenSSF Scorecard Weekly Repository security posture Scorecard Results
Quality HTMLHint + HTML5 Validator PR + Push All HTML files PR Workflow
Links Linkinator PR + Push All internal and external links Quality Checks
Performance Lighthouse CI Post-deployment Performance, Accessibility, SEO Deploy Workflow
Accessibility Lighthouse (WCAG 2.1 AA) Post-deployment All pages audited Target: Score 100

Build Attestation & Provenance

Attestation Type Tool Level Verification
Build Provenance GitHub Attestations SLSA Level 3 gh attestation verify
Release Attestation actions/attest-build-provenance SLSA Level 3 Signed build provenance

Verification Command:

gh attestation verify <release-asset> --owner Hack23

7️⃣ Conformity Assessment Conclusion

Assessment Summary

Dimension Assessment Rationale
Product Type Static HTML/CSS website No server-side execution, no user data processing
CRA Classification Standard (Non-commercial OSS) Self-assessment approach sufficient
Overall Risk Very Low Minimal attack surface, read-only content delivery
Compliance Status βœ… Conformant All applicable CRA requirements addressed

Key Differentiators

  1. Minimal Attack Surface: Static website with no server-side code eliminates entire categories of vulnerabilities (injection, authentication bypass, session hijacking)
  2. Defense in Depth: Despite minimal risk, comprehensive security controls are applied (AWS CloudFront, TLS 1.3, security headers, supply chain security)
  3. Transparency: Full security architecture, threat model, and CRA assessment published as open-source documentation
  4. Automated Security: Continuous security scanning (CodeQL, ZAP, Scorecard, Dependabot) with automated remediation
  5. ISMS Integration: Aligned with ISO 27001, NIST CSF 2.0, CIS Controls v8.1 through Hack23 ISMS

Conformity Declaration

This self-assessment confirms that the Hack23 Homepage meets applicable EU Cyber Resilience Act requirements for a Standard-classified non-commercial open-source software product. The static nature of the website, combined with comprehensive security controls and continuous monitoring, ensures a robust security posture with very low residual risk.

πŸ“‹ ISMS Policy Alignment

ISMS Policy Relevance Implementation
Secure Development Policy CI/CD security, code review Branch protection, automated scanning, PR reviews
Vulnerability Management Vulnerability handling Dependabot, CodeQL, ZAP, defined SLAs
Network Security Policy CDN and TLS configuration CloudFront TLS 1.3, security headers
Cryptography Policy Encryption standards AES-256 at rest, TLS 1.3 in transit
Access Control Policy Deployment access AWS OIDC, GitHub branch protection
Incident Response Plan Security incident handling Defined procedures, contact channels
Backup & Recovery Policy DR strategy S3 versioning, GitHub Pages fallback
Risk Register Risk tracking Integrated with threat model
Compliance Checklist Multi-framework compliance ISO 27001, NIST CSF, CIS Controls