A proof-of-concept implementation demonstrating EU Cyber Resilience Act (CRA) compliance for automatic security updates
Currently the client updates all of the deployed devices manually with flash drives. This kind of worked in the past, but it is slow and doesn't meet the new Cyber Resilience Act (CRA) requirements.
The CRA says manufacturers need to provide automatic security updates by default.
According to the regulation:
ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;
Key Requirements:
- β Automatic security updates enabled by default
- β Clear and easy opt-out mechanism
- β Notification of available updates
- β Option to temporarily postpone updates
- β Appropriate timeframe for security patches
The client needs a solution for semi-automatic updates, where they can release updates, but it will be up to their customers to deploy them.
The system provides:
-
Vendor Portal (Admin.Api + Admin.Web)
- Web app for the vendor to upload new updates
- Create and manage releases
- Monitor device deployment status
-
Customer Portal (ClientPortal.Api + ClientPortal.Web)
- Web portal for customers to view available updates
- Schedule deployment of software updates
- Configure automatic update settings
- Postpone updates with reason tracking
-
Device Agent (ClientPortal.UpdateAgent)
- Background service on customer devices
- Automatically checks for and installs updates
- Verifies update integrity and authenticity
-
Secure Delivery
- SHA-256 file integrity verification
- RSA-4096 digital signatures
- HTTPS/TLS transport encryption
- Cloudflare Tunnel support
| Feature | Status | Implementation |
|---|---|---|
| Default automatic updates | β | Device.AutomaticUpdates = true on registration |
| Easy opt-out | β | Device settings API endpoint |
| Update notifications | β | Customer portal lists all updates |
| Postpone capability | β | Deployment postpone API with reason |
| Timeframe enforcement | β | Max 7-day postpone for mandatory updates |
| Security transparency | β | CVE lists, changelogs, severity levels |
- Separated APIs - Admin.Api (vendor) and ClientPortal.Api (customer)
- Shared Database - Single PostgreSQL database for data consistency
- File Upload - Multipart form-data with SHA-256 hashing
- Digital Signatures - RSA-4096 for update authenticity
- Deployment Tracking - Status, retry count, postpone tracking
- Tenant Isolation - Multi-tenant support
- Comprehensive Testing - 128 tests covering all features
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VENDOR SIDE (Admin) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Admin.Api - Upload updates, create releases β
β Admin.Web - Vendor admin portal (Blazor WASM) β
β Admin.Shared - Shared models and DTOs β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CUSTOMER SIDE (ClientPortal) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β ClientPortal.Api - View releases, manage devices β
β ClientPortal.Web - Customer portal (Blazor WASM) β
β ClientPortal.UpdateAgent - Device agent (background svc) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SHARED INFRASTRUCTURE β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β PostgreSQL - Shared database (AdminDb) β
β .NET Aspire - Service orchestration β
β Cloudflare Tunnel - Secure remote access β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
- .NET 10.0 - Application framework
- ASP.NET Core Minimal APIs - Backend APIs
- Blazor WebAssembly - Frontend portals
- Entity Framework Core - Data access
- PostgreSQL - Database
- .NET Aspire - Orchestration
- FluentUI - UI components
- xUnit - Testing framework
- .NET 10.0 SDK - Download here
- Docker Desktop - Download here
- Git - Download here
-
Clone the repository
git clone <repository-url> cd SecureSoftwareDevelopment
-
Restore packages
dotnet restore
-
Start Docker Desktop (required for PostgreSQL)
-
Configure Aspire secrets (optional)
cd src/AppHost dotnet user-secrets set "Parameters:postgres-username" "root" dotnet user-secrets set "Parameters:postgres-password" "password"
-
Run with .NET Aspire
cd src/AppHost dotnet run -
Access the application
- Aspire Dashboard: https://localhost:15068 (view all services)
- Admin API: Check dashboard for port (usually 7100)
- Admin API Docs: https://localhost:7100/swagger
- ClientPortal API: Check dashboard for port (usually 7200)
- ClientPortal API Docs: https://localhost:7200/swagger
- Admin Web: Check dashboard for port
- ClientPortal Web: Check dashboard for port
# Build the solution
dotnet build
# Run tests (128 tests)
dotnet test
# Run specific test project
dotnet test tests/Admin.Api.Tests/
# Database migrations
cd src/Admin.Api
dotnet ef migrations add <MigrationName>
dotnet ef database update
# Clean build artifacts
dotnet cleansrc/
βββ Admin.Api/ # Vendor backend API
βββ Admin.Web/ # Vendor portal (Blazor WASM)
βββ Admin.Shared/ # Shared models and DTOs
βββ ClientPortal.Api/ # Customer backend API
βββ ClientPortal.Web/ # Customer portal (Blazor WASM)
βββ ClientPortal.UpdateAgent/ # Device agent
βββ AppHost/ # .NET Aspire orchestration
βββ ServiceDefaults/ # Common configurations
tests/
βββ Admin.Api.Tests/ # Test suite (128 tests)
Admin.Api (Vendor Operations):
POST /api/updates # Upload new update
GET /api/updates # List all updates
GET /api/updates/{id}/download # Download update file
POST /api/releases # Create release
GET /api/releases # List all releases
ClientPortal.Api (Customer Operations):
GET /api/releases/active # View active releases
POST /api/devices # Register device
PUT /api/devices/{id}/settings # Configure auto-updates
POST /api/deployments/schedule # Schedule deployment
PUT /api/deployments/{id}/postpone # Postpone deployment
-
Default Automatic Updates
- All devices registered with
AutomaticUpdates = trueby default - Complies with CRA requirement for default automatic updates
- All devices registered with
-
Clear Opt-Out Mechanism
- Device settings endpoint allows disabling automatic updates
- Customer portal provides UI to configure settings
-
Update Notifications
- Customer portal lists all available updates
- Shows severity, CVE lists, changelogs
-
Postpone Capability
- Customers can postpone deployments with reason
- System tracks postpone count and reasons
-
Appropriate Timeframe
- Mandatory security updates have 7-day max postpone period
- Enforced at API level to ensure compliance
-
Security Transparency
- All updates show CVE lists
- Severity levels (Critical, High, Medium, Low)
- Detailed changelogs and security fixes
Run the CRA compliance integration tests:
dotnet test --filter "Category=CRACompliance"All 10 CRA compliance tests verify:
- Default automatic updates
- Opt-out functionality
- Postpone mechanism
- Mandatory update enforcement
- Security transparency
- CLAUDE.md - Comprehensive architecture guide and development commands
- PROJECT_SUMMARY.md - High-level overview and feature summary
- ASPIRE_DATABASE_FIXES.md - Database setup troubleshooting
Test Coverage: 128 Tests
- β 96 Repository tests (CRUD operations)
- β 13 File storage tests (integrity verification)
- β 9 API endpoint tests (behavior validation)
- β 10 CRA compliance tests (regulatory requirements)
Run all tests:
dotnet test
# Passed! - Failed: 0, Passed: 128, Skipped: 0, Total: 128Security Layers:
- API Key Authentication (device authentication)
- SHA-256 File Hashing (integrity verification)
- RSA-4096 Digital Signatures (authenticity verification)
- TLS/HTTPS (transport encryption)
- Tenant Isolation (database-level separation)
- Cloudflare Tunnel (secure remote access)
Production Considerations:
- Hash API keys before storage
- Implement rate limiting
- Add DDoS protection
- Use certificate-based device auth
- Encrypt files at rest
- Security scan uploaded files
This is an educational project demonstrating CRA compliance principles.
Recommended for:
- β Learning CRA compliance
- β Architecture reference
- β Starting point for production systems
- β Academic/research purposes
Before production use:
- Security audit and penetration testing
- Implement production-grade authentication
- Add monitoring and alerting
- Set up proper CI/CD pipeline
- EU Cyber Resilience Act - Regulatory framework
- .NET Foundation - ASP.NET Core, Blazor, EF Core
- Microsoft - .NET Aspire, FluentUI
- Cloudflare - Secure tunneling solution
Built with .NET 10.0 | January 2025