SlideShare a Scribd company logo

A Deep Dive into Secure Product Development Frameworks.pdf

ICS
ICS

We tackle the question of what is a SPDF for medical device cybersecurity. We look to provide actionable advice that clarifies implementation, and you can apply in your day-to-day tasks.

1 of 30
Download to read offline
1 Cybersecurity in Medical Devices Practical Advice for FDA’s 510(k) Secure Product Development Framework (SPDF)
About Us – Complementary Partners 2 INTEGRITY Security Services (ISS) is a wholly owned subsidiary of Green Hills Software LLC., established to provide best practice embedded security products and services for the protection of smart devices in all industries from cyber security attacks. ISS's experience enables them to provide the world’s first Secure Platform for Medical (SPM) which dramatically reduces time and resources for medical device OEMs to meet Omnibus Act Section 3305 and FD & C Section 524B. BG Networks equips embedded engineers and penetration testers with easy-to-use software automation tools to streamline cybersecurity tasks including hardening, detection, and testing. BG Networks automation tools are designed to help with adherence to regulations from the FDA, NIST, ISO, and the EU. ICS supports our customers with software development, User experience design, platform and regulatory support to build next generation products. We provide a number of services focused on the medtech space including human factors engineering with a 62366 compliant process, hazard and risk analysis, 62304 compliant software development, and platform support including cybersecurity. Cybersecurity Services Cyber-Testing Detection Hardening Risk Management
Speaker Introductions 3 David Sequino Founder & CEO Colin Duggan Founder & CEO Milton Yarberry Director of Medical Programs & Cybersecurity
Topics for Upcoming Webinars In This Series Following are topics for upcoming webinars June 20th Secure-by-Design - Using Hardware and Software Protection for FDA Compliance Threat modeling and risk assessment – First step in risk management Security by design & defense in depth – Security control categories called for by the FDA Cyber-testing – What the FDA expects Cybersecurity documentation - eSTAR submissions Post Market Requirements – Fixing Vulnerabilities: SBOM – Updates - Monitoring Bolting On Security – Is there anything that can be done if I already have a design 4
Agenda • What does FD&C Act, 524B, say about SPDF • What is a SPDF • Introduction to a SPDF foundation • Example of application of a SPDF • SPDF documents the FDA has asked for 5
Questions For Us - A Question For You – Link to Previous Webinar Questions for us • Put your questions in the Q&A • For questions we don’t get to, we’ll write answers and make them available after A question for you How confident are you that your medical devices processes meet FDA’s SPDF expectations? • Please respond now • We’ll also ask at the end to see if your perspective has changed For reference here is the previous webinar in this series and the answers to questions asked • Link to previous webinar: https://www.ics.com/webinar-demand-practical-advice-fdas-510k-requirements • Link to previous Q&A: https://www.ics.com/questions-answers-fdas-510k-requirements-webinar • We’ll put both in the chat 6
Primary goal of SPDF To manufacture and maintain safe and effective devices From a security standpoint, these are also trustworthy and resilient devices
Sponsors Must • Submit a plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits • Provide a software bill of materials (SBOM) • Design, develop, and maintain processes to ensure device and related systems are cybersecure and provide postmarket updates and patches Effective March 29, 2023, the FD&C Act was amended to include section 524B "Ensuring Cybersecurity of Devices” that is introducing cybersecurity provisions for devices meeting the definition of a cyber device. Cyber device means a device that: 1. includes software … as a device or in a device; 2. has the ability to connect to the internet; and 3. contains any such technological characteristics … that could be vulnerable to cybersecurity threats YES, this includes devices only with a USB port Text 524B
Slide 9 Example Safety & Security Verticals Slide 9 9 IEC 62443 UNR 155/6 ISO 21434 NIST 800-53 DO – 326A DO – 355 ARINC 667 ARINC 835 NIST 800-53 Many TCG Stds FD&C Section 524B EU MDR DO – 178B NIST 800-53 NIST 800-53
Slide 10 • Patient Harm • Patient confidence in Health Delivery Organizations • Authenticity, which includes integrity • Authorization • Availability • Confidentiality • Secure and timely updatability and patchability Safety & Security go “hand in hand” Slide 10 Safety Security
11 Cybersecurity SPDF | Highest Level View Process Documents Image from flaticon.com The FDA won’t inspect your SPDF cybersecurity processes for 510(k) clearance… (but they would for a PMA or routine FDA inspection) … but you want to make sure your processes ensure safety and effectiveness And it results in documents that match expectations for the FDA’s review
Device Lifecycle Must be Considered in Your SPDF Design/Develop/Test Manufacture Test/Provision/Release Support/Update/Decom Supply Chain Sites / Phases Assets Across Supply Chain Users Devices Digital Assets Sites Users Devices Digital Assets Sites Users Devices Digital Assets Sites Users Devices Digital Assets Sites
13 Elements that Make Up a SPDF | Many Ingredients Blended Together SPDF Inputs Cybersecurity Specific Medical Device SPDF Patient Safety & QMS Should Reference SPDF Docs
Requirements Management SBOM Features Dev. Code Quality CI / CD Pre-Production Testing Post-Production Supporting End of Life Competence Development Threat Modeling Risk Assessment Implement cybersecurity features Static analysis, MISRA C, etc.. Generation CWE/CVE check Validation Pentesting Code Signing Release / Delivery Key Management Locking Hardware Vulnerability Monitoring Feedback / Incident Response Software Updates Diagnostic Tools Secure Decommissioning Software Development Lifecycle Security Development Lifecycle Legend 14 Secure Product Development Framework (SPDF) Based on IEC 81001-5-1
Overview of IEC 81001-5-1 And AAMI SW96:2023 How They Can Be Used As a Foundation for SPDF
Developed to Complement Your Existing QMS and Risk Processes QMS SPDF
IEC 81001-5-1 | Overview – A Software SPDF IEC 81001-5: Finalized in December 2021 • Derived from an existing industrial cyber-security standard but adapted for medical devices • IEC 62443-4: Product Security Development Lifecycle Requirements IEC 81001-5 developed to be an extension to IEC 62304 • IEC 62304: Medical Device Software – Software Life Cycle Processes Recognized around the world • FDA Consensus standard • EU MDR is adopting • Required in Japan A couple of items to keep in mind • Does not exactly match FDA guidance and documentation required for pre market submission • Risk Management section is light-weight (reason to complement with AAMI SW:96)
AAMI SW96: 2023 | Security Risk Management For Medical Devices • SW96:2023 is a full standard based on Technical Information Reports : TIR57 and TIR97 • Developed to work within the ISO 14971 risk framework • SW96:2023 has a broader definition of harm than ISO 14971 From ANSI/AAMI SW96:2023 Pg 27
Example Overview of SPDF Steps
M Cybersecurity Process Secure Product Development Framework (SPDF) Design Controls Design Inputs Cyber ReqA Cyber ReqB Design outputs Cyber SpecX Cyber SpecY Cyber SpecZ Binaries Verification Tests Cyber TestX Cyber TestY Cyber TestZ Mitigations MitigationX MitigationY MitigationZ Threat Assessment ThreatX ThreatY ThreatZ Security Architecture Architecture Diagrams Component Analysis Connectivity definitions Use Case Views Code Known Abnormalities (test failures) Static Software Code Analysis Source SCA Binary SCA SBOM Triage & Justifications Vulnerability Report Penetration Testing (independent white hat) Post Market Vulnerability Management Plan Customer Transparency Plan Published Vulnerabilities Threat Mitigation Testing (vs. ReqA, ReqB) Vulnerability Testing (i.e. malformed input, fuzzing, etc.) Cybersecurity Assessment Security Risk Management Report (PMA - Annual) Security Risk Management Plan Security Risk Test Plan 20 SPDF composition Mitigations
Example Ankle Worn Stroke Detection Data Acquisition AMPS from the MITRE / MDIC Medical Device Threat Modeling Hand Book Threat Modeling • We like data flow diagrams • They make it easy to see trust boundaries • Good start to 4 architectural views the FDA has mandated Example : Bluetooth • On the AMPS device • An important interface to keep secure! FDA Submission Document Architectural Views Guidance Section : V.B
Threat Modeling STRIDE – Asset - Attack Path – Attack Feasibility 1) STRIDE 2) Asset 3) Attack Path 4) Score FDA Submission Document Threat Model Guidance Section : V.A, V.B, Appendix 1,2 1. Attacker pairs via bluetooth to AMPs device 2. Attacker reverse engineers code update API 3. Attacker uses API to install mallicious code <= two weeks Expert Restricted Easy Standard 12 Medium-High Attack Path Window of Opportunity Equipment Difficulty Score (lower means easier to hack) Attack Potential Knowledge of TOE Elapsed Time Expertise Overall Attack Potential Score High 0 Medium-High 10 Medium 14 Low 20 Very low 25 Control plane code execution Wrong data provided to Bluetooth app from AMPS device Asset Name Threat Scenario
Impact - Risk Rating - Requirements (Inputs) Asset Name Damage Scenario Adverse Consequence Control plane code execution Wrong data provided to Bluetooth app from AMPS device 1) Incorrect data provided to doctor to determine patient's risk of stroke 2) Manufacturer could be legally liable 3) AMPS device functionaliy impaired Reduce 1) Implement authentication scheme for Bluetooth access Goal Goal 1: Bluetooth access requires authentication Requirement 1: Use Bluetooth LE Secure Connections based on Elliptic Curve Diffie Hellman challenge-response. Requires screen and yes/no buttons for user interface Cybersecurity Goal(s) or Claim Goals or Claim Summary Goal Requirement(s) Risk Treatment Decision Risk Treatment Details 5) Consequence 6) Impact 7) Risk Rating 8) Requirement FDA Submission Document Cybersecurity Risk Assessment Guidance Section : V.A FDA Submission Document Requirements Guidance Section : V.B.1, App.1 Safety Financial Operational Privacy Moderate Major Major Moderate Major S: Patient could be at risk of a stroke but is not treated F: If could be proven that the wrong data is being sent the medical device manufacturer could be liable O: Device is not functioning correctly P: Vital signs and stroke related data stolen Impact Categories Overall Impact Impact Justification Attack Feasibility Rating Very low Low Medium Medium-High High Impact Rating Severe 2 3 4 5 5 Major 1 2 3 4 5 Moderate 1 2 2 3 4 Negligible 1 1 1 1 2 Major Medium-High 4 Impact Rating Attack Feasability Rating Risk Value (1 - 5)
SBOM FDA Submission Document SBOM Guidance Section : V.A.4, VI.A FDA Submission Document Vulnerability Assessment and Software Support Guidance Section : V.A.4 Common formats? • SPDX (older, licensing focus) • CycloneDX (lightweight, open source focus) • SWID (software tracking focus) What’s in it? • Types of info: • SW Component data fields • SBOM Author • Automation fields How created? • OS + commercial SW + open source • From build system • Component analysis tools • Vulnerability scanning tools • Simpler with managed packages How used? • Lookup in National Vulnerability Databases – (nvd.nist.gov/vuln/search) • Automation tools intended for this purpose JSON YAML Tag, Value
Cyber-Testing - Verification of Outputs Four Types of Testing Called for by the FDA FDA Submission Document Testing Guidance Section : V.C TYPES OF TEST DESCRIPTION BLUETOOTH EXAMPLE Security Requirements Testing • Verification of input/requirement for security features • Testing of functionality including boundary cases • Positive and negative tests of Elliptic Curve Diffie Helman challenge-response • Verify that programming API and device characteristics are available only after auth. Threat Mitigation Testing • Validation/system level testing • Tie back to threat model • Consider global system, multi-patient harm, patchability • Test security of keys from brute force attacks • Consider break-one-break-them-all scenarios if unique keys per device not specified • Test for authentication bypass (e.g. pairing accepted without correct response) Vulnerability Testing • Testing for malformed inputs • Unexpected inputs • Vulnerability Chaining • Fuzzing, scanning, encryption check, static & dynamic code analysis • NIST NVD and CISA Known Exploited Vulnerabilities Catalog for Bluetooth vulns. using CPE. Penetration Testing • Testing done by personnel who have not worked on the design • White box testing recommended : more efficient & accepted by FDA • One week of pentesting on Bluetooth interfaces • MITM attacks, key extraction from app, key extraction for AMPS device (e.g., JTAG, USB, UART), malformed inputs, DoS, etc…
Cybersecurity Risk Management Report Risk Management Report Vulnerability/Threat Mitigation/Penetration Testing SBOM Threat Modeling Threat Intelligence (e.g., CISA Vulnerability Catalog) FDA Submission Document Cybersecurity Risk Management Report Guidance Section : V, VI.B FDA Submission Document Unresolved Anomaly Assessment Guidance Section : V.A.5 FDA Submission Document Traceability Guidance Section : V.A, V.B, V.C, VI.A Overview • 3 Report Descriptions • FDA Submission Document: V, VI.B • TIR57, sec. 8. • SW96 Appendix C • Terms and concepts from the three sources are slightly different • Summary and References • Risk Management Report should succinctly SUMMARIZE the risk management process followed, and details of the outcome • Full analysis, assessments, models are REFERENCED in report Report Contents • System Description • Device Intended Use • Operating Environment • Threat Model • Security Risk Assessment • SBOM • Vulnerability Assessment • Unresolved Anomalies Assessment • Risk evaluation methods and processes • Residual Risk conclusions • Risk Mitigation activities • Component support information • Traceability: threat model / risk assessment / SBOM / testing documentation
Labeling FDA Submission Document Labeling Guidance Section : VI.A Labeling as applied to cybersecurity • How to securely configure/set secure passwords • Document risks that are transferred • Security information of IT cybersecurity staff • Device identification on a network and how to track • Logging and attack detection information • Instructions to obtain software updates • Date of end of life support • How a device under attack will notify user • Protections against catastrophic events Labeling for example • How to set password in BT phone app • No risks transferred – all BT risks mitigated • Security information of IT cybersecurity staff • Unique device IDs tracked through app to cloud • IDS alerts provided on detection of attacks • URL on company website for software updates • End of life date negotiated between medical device manufacturer and HDO Labeling for user to help manage security risks - “Manufacturers should provide or make available SBOM information to users on a continuous basis” - Online portal to publish SBOM information, vulnerability information. Updated. Accurate.
Post Market FDA Submission Document Cybersecurity Management Plans Guidance Section : VI.B FDA Submission Document Measures and Metrics Guidance Section : V.A.6 Cybersecurity Management Plans • Personnel responsible • Post market vulnerability monitor plan and sources of threat intel • Update process and time to patch • Vulnerability disclosure to manufacturer & communication to HDOs • Communicate through Online portal Measures & Metrics • Percentage of vulnerabilities that are patched • Time from vulnerability identification to patching • Duration from when a patch is available to implementation in devices deployed
One Result of your SPDF Documentation for FDA Pre-Market Submission – Appendix 4
Poll Question, Q&A

Recommended

Practical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfPractical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdf
ICS
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
ICS
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
IBM
 
Critical Steps in Software Development: Enhance Your Chances for a Successful...
Critical Steps in Software Development: Enhance Your Chances for a Successful...Critical Steps in Software Development: Enhance Your Chances for a Successful...
Critical Steps in Software Development: Enhance Your Chances for a Successful...
Sterling Medical Devices
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
Arun Prabhakar
 
Endpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesEndpoint Security for Mobile Devices
Endpoint Security for Mobile Devices
David Shepherd
 

Recommended

Practical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfPractical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdf
ICS
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
ICS
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
IBM
 
Critical Steps in Software Development: Enhance Your Chances for a Successful...
Critical Steps in Software Development: Enhance Your Chances for a Successful...Critical Steps in Software Development: Enhance Your Chances for a Successful...
Critical Steps in Software Development: Enhance Your Chances for a Successful...
Sterling Medical Devices
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
Arun Prabhakar
 
Endpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesEndpoint Security for Mobile Devices
Endpoint Security for Mobile Devices
David Shepherd
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
Ben Rothke
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
LabSharegroup
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy Sector
Kaspersky
 
GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?
QualiQuali
 
Secure Your Medical Devices From the Ground Up
Secure Your Medical Devices From the Ground Up Secure Your Medical Devices From the Ground Up
Secure Your Medical Devices From the Ground Up
ICS
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
Rochester Security Summit
 
Security for Healthcare Devices – Will Your Device Be Good Enough?
Security for Healthcare Devices – Will Your Device Be Good Enough?Security for Healthcare Devices – Will Your Device Be Good Enough?
Security for Healthcare Devices – Will Your Device Be Good Enough?
Walt Maclay
 
Security for Healthcare Devices - Will Your Device Be Good Enough?
Security for Healthcare Devices - Will Your Device Be Good Enough?Security for Healthcare Devices - Will Your Device Be Good Enough?
Security for Healthcare Devices - Will Your Device Be Good Enough?
Rio Valdes
 
IEC 62304: SDLC Conformance and Management
IEC 62304: SDLC Conformance and Management IEC 62304: SDLC Conformance and Management
IEC 62304: SDLC Conformance and Management
MethodSense, Inc.
 
Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges
Nathan Wallace, PhD, PE
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
Patricia M Watson
 
Sw qual joint webinar deck (5)
Sw qual joint webinar deck (5)Sw qual joint webinar deck (5)
Sw qual joint webinar deck (5)
Seapine Software
 
Beyond FDA Compliance Webinar: 5 Hidden Benefits of Your Traceability Matrix
Beyond FDA Compliance Webinar: 5 Hidden Benefits of Your Traceability MatrixBeyond FDA Compliance Webinar: 5 Hidden Benefits of Your Traceability Matrix
Beyond FDA Compliance Webinar: 5 Hidden Benefits of Your Traceability Matrix
Seapine Software
 
国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析
Onward Security
 
DevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps for Highly Regulated Environments
DevOps for Highly Regulated Environments
DevOps.com
 
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA Cyber Security
 
Final Presentation
Final PresentationFinal Presentation
Final Presentation
chris odle
 
IoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalIoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR Proposal
Syam Madanapalli
 
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Tripwire
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery Pipelines
Avi Networks
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
ICS
 
Accelerating Development of a Safety-Critical Cobot Welding System with Qt/QM...
Accelerating Development of a Safety-Critical Cobot Welding System with Qt/QM...Accelerating Development of a Safety-Critical Cobot Welding System with Qt/QM...
Accelerating Development of a Safety-Critical Cobot Welding System with Qt/QM...
ICS
 

More Related Content

Similar to A Deep Dive into Secure Product Development Frameworks.pdf

How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
Ben Rothke
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
LabSharegroup
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy Sector
Kaspersky
 
GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?
QualiQuali
 
Secure Your Medical Devices From the Ground Up
Secure Your Medical Devices From the Ground Up Secure Your Medical Devices From the Ground Up
Secure Your Medical Devices From the Ground Up
ICS
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
Rochester Security Summit
 
Security for Healthcare Devices – Will Your Device Be Good Enough?
Security for Healthcare Devices – Will Your Device Be Good Enough?Security for Healthcare Devices – Will Your Device Be Good Enough?
Security for Healthcare Devices – Will Your Device Be Good Enough?
Walt Maclay
 
Security for Healthcare Devices - Will Your Device Be Good Enough?
Security for Healthcare Devices - Will Your Device Be Good Enough?Security for Healthcare Devices - Will Your Device Be Good Enough?
Security for Healthcare Devices - Will Your Device Be Good Enough?
Rio Valdes
 
IEC 62304: SDLC Conformance and Management
IEC 62304: SDLC Conformance and Management IEC 62304: SDLC Conformance and Management
IEC 62304: SDLC Conformance and Management
MethodSense, Inc.
 
Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges
Nathan Wallace, PhD, PE
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
Patricia M Watson
 
Sw qual joint webinar deck (5)
Sw qual joint webinar deck (5)Sw qual joint webinar deck (5)
Sw qual joint webinar deck (5)
Seapine Software
 
Beyond FDA Compliance Webinar: 5 Hidden Benefits of Your Traceability Matrix
Beyond FDA Compliance Webinar: 5 Hidden Benefits of Your Traceability MatrixBeyond FDA Compliance Webinar: 5 Hidden Benefits of Your Traceability Matrix
Beyond FDA Compliance Webinar: 5 Hidden Benefits of Your Traceability Matrix
Seapine Software
 
国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析
Onward Security
 
DevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps for Highly Regulated Environments
DevOps for Highly Regulated Environments
DevOps.com
 
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA Cyber Security
 
Final Presentation
Final PresentationFinal Presentation
Final Presentation
chris odle
 
IoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalIoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR Proposal
Syam Madanapalli
 
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Tripwire
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery Pipelines
Avi Networks
 

Similar to A Deep Dive into Secure Product Development Frameworks.pdf (20)

How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy Sector
 
GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?
 
Secure Your Medical Devices From the Ground Up
Secure Your Medical Devices From the Ground Up Secure Your Medical Devices From the Ground Up
Secure Your Medical Devices From the Ground Up
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
Security for Healthcare Devices – Will Your Device Be Good Enough?
Security for Healthcare Devices – Will Your Device Be Good Enough?Security for Healthcare Devices – Will Your Device Be Good Enough?
Security for Healthcare Devices – Will Your Device Be Good Enough?
 
Security for Healthcare Devices - Will Your Device Be Good Enough?
Security for Healthcare Devices - Will Your Device Be Good Enough?Security for Healthcare Devices - Will Your Device Be Good Enough?
Security for Healthcare Devices - Will Your Device Be Good Enough?
 
IEC 62304: SDLC Conformance and Management
IEC 62304: SDLC Conformance and Management IEC 62304: SDLC Conformance and Management
IEC 62304: SDLC Conformance and Management
 
Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
 
Sw qual joint webinar deck (5)
Sw qual joint webinar deck (5)Sw qual joint webinar deck (5)
Sw qual joint webinar deck (5)
 
Beyond FDA Compliance Webinar: 5 Hidden Benefits of Your Traceability Matrix
Beyond FDA Compliance Webinar: 5 Hidden Benefits of Your Traceability MatrixBeyond FDA Compliance Webinar: 5 Hidden Benefits of Your Traceability Matrix
Beyond FDA Compliance Webinar: 5 Hidden Benefits of Your Traceability Matrix
 
国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析
 
DevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps for Highly Regulated Environments
DevOps for Highly Regulated Environments
 
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
 
Final Presentation
Final PresentationFinal Presentation
Final Presentation
 
IoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalIoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR Proposal
 
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery Pipelines
 

More from ICS

Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
ICS
 
Accelerating Development of a Safety-Critical Cobot Welding System with Qt/QM...
Accelerating Development of a Safety-Critical Cobot Welding System with Qt/QM...Accelerating Development of a Safety-Critical Cobot Welding System with Qt/QM...
Accelerating Development of a Safety-Critical Cobot Welding System with Qt/QM...
ICS
 
Overcoming CMake Configuration Issues Webinar
Overcoming CMake Configuration Issues WebinarOvercoming CMake Configuration Issues Webinar
Overcoming CMake Configuration Issues Webinar
ICS
 
Enhancing Quality and Test in Medical Device Design - Part 2.pdf
Enhancing Quality and Test in Medical Device Design - Part 2.pdfEnhancing Quality and Test in Medical Device Design - Part 2.pdf
Enhancing Quality and Test in Medical Device Design - Part 2.pdf
ICS
 
Designing and Managing IoT Devices for Rapid Deployment - Webinar.pdf
Designing and Managing IoT Devices for Rapid Deployment - Webinar.pdfDesigning and Managing IoT Devices for Rapid Deployment - Webinar.pdf
Designing and Managing IoT Devices for Rapid Deployment - Webinar.pdf
ICS
 
Quality and Test in Medical Device Design - Part 1.pdf
Quality and Test in Medical Device Design - Part 1.pdfQuality and Test in Medical Device Design - Part 1.pdf
Quality and Test in Medical Device Design - Part 1.pdf
ICS
 
Creating Digital Twins Using Rapid Development Techniques.pdf
Creating Digital Twins Using Rapid Development Techniques.pdfCreating Digital Twins Using Rapid Development Techniques.pdf
Creating Digital Twins Using Rapid Development Techniques.pdf
ICS
 
Cybersecurity and Software Updates in Medical Devices.pdf
Cybersecurity and Software Updates in Medical Devices.pdfCybersecurity and Software Updates in Medical Devices.pdf
Cybersecurity and Software Updates in Medical Devices.pdf
ICS
 
MDG Panel - Creating Expert Level GUIs for Complex Medical Devices
MDG Panel - Creating Expert Level GUIs for Complex Medical DevicesMDG Panel - Creating Expert Level GUIs for Complex Medical Devices
MDG Panel - Creating Expert Level GUIs for Complex Medical Devices
ICS
 
How to Craft a Winning IOT Device Management Solution
How to Craft a Winning IOT Device Management SolutionHow to Craft a Winning IOT Device Management Solution
How to Craft a Winning IOT Device Management Solution
ICS
 
Bridging the Gap Between Development and Regulatory Teams
Bridging the Gap Between Development and Regulatory TeamsBridging the Gap Between Development and Regulatory Teams
Bridging the Gap Between Development and Regulatory Teams
ICS
 
IoT Device Fleet Management: Create a Robust Solution with Azure
IoT Device Fleet Management: Create a Robust Solution with AzureIoT Device Fleet Management: Create a Robust Solution with Azure
IoT Device Fleet Management: Create a Robust Solution with Azure
ICS
 
Basic Cmake for Qt Users
Basic Cmake for Qt UsersBasic Cmake for Qt Users
Basic Cmake for Qt Users
ICS
 
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
ICS
 
Qt Installer Framework
Qt Installer FrameworkQt Installer Framework
Qt Installer Framework
ICS
 
Bridging the Gap Between Development and Regulatory Teams
Bridging the Gap Between Development and Regulatory TeamsBridging the Gap Between Development and Regulatory Teams
Bridging the Gap Between Development and Regulatory Teams
ICS
 
Overcome Hardware And Software Challenges - Medical Device Case Study
Overcome Hardware And Software Challenges - Medical Device Case StudyOvercome Hardware And Software Challenges - Medical Device Case Study
Overcome Hardware And Software Challenges - Medical Device Case Study
ICS
 
User Experience Design for IoT
User Experience Design for IoTUser Experience Design for IoT
User Experience Design for IoT
ICS
 
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfSoftware Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
ICS
 
5 Key Considerations at the Start of SaMD Development
5 Key Considerations at the Start of SaMD Development5 Key Considerations at the Start of SaMD Development
5 Key Considerations at the Start of SaMD Development
ICS
 

More from ICS (20)

Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
 
Accelerating Development of a Safety-Critical Cobot Welding System with Qt/QM...
Accelerating Development of a Safety-Critical Cobot Welding System with Qt/QM...Accelerating Development of a Safety-Critical Cobot Welding System with Qt/QM...
Accelerating Development of a Safety-Critical Cobot Welding System with Qt/QM...
 
Overcoming CMake Configuration Issues Webinar
Overcoming CMake Configuration Issues WebinarOvercoming CMake Configuration Issues Webinar
Overcoming CMake Configuration Issues Webinar
 
Enhancing Quality and Test in Medical Device Design - Part 2.pdf
Enhancing Quality and Test in Medical Device Design - Part 2.pdfEnhancing Quality and Test in Medical Device Design - Part 2.pdf
Enhancing Quality and Test in Medical Device Design - Part 2.pdf
 
Designing and Managing IoT Devices for Rapid Deployment - Webinar.pdf
Designing and Managing IoT Devices for Rapid Deployment - Webinar.pdfDesigning and Managing IoT Devices for Rapid Deployment - Webinar.pdf
Designing and Managing IoT Devices for Rapid Deployment - Webinar.pdf
 
Quality and Test in Medical Device Design - Part 1.pdf
Quality and Test in Medical Device Design - Part 1.pdfQuality and Test in Medical Device Design - Part 1.pdf
Quality and Test in Medical Device Design - Part 1.pdf
 
Creating Digital Twins Using Rapid Development Techniques.pdf
Creating Digital Twins Using Rapid Development Techniques.pdfCreating Digital Twins Using Rapid Development Techniques.pdf
Creating Digital Twins Using Rapid Development Techniques.pdf
 
Cybersecurity and Software Updates in Medical Devices.pdf
Cybersecurity and Software Updates in Medical Devices.pdfCybersecurity and Software Updates in Medical Devices.pdf
Cybersecurity and Software Updates in Medical Devices.pdf
 
MDG Panel - Creating Expert Level GUIs for Complex Medical Devices
MDG Panel - Creating Expert Level GUIs for Complex Medical DevicesMDG Panel - Creating Expert Level GUIs for Complex Medical Devices
MDG Panel - Creating Expert Level GUIs for Complex Medical Devices
 
How to Craft a Winning IOT Device Management Solution
How to Craft a Winning IOT Device Management SolutionHow to Craft a Winning IOT Device Management Solution
How to Craft a Winning IOT Device Management Solution
 
Bridging the Gap Between Development and Regulatory Teams
Bridging the Gap Between Development and Regulatory TeamsBridging the Gap Between Development and Regulatory Teams
Bridging the Gap Between Development and Regulatory Teams
 
IoT Device Fleet Management: Create a Robust Solution with Azure
IoT Device Fleet Management: Create a Robust Solution with AzureIoT Device Fleet Management: Create a Robust Solution with Azure
IoT Device Fleet Management: Create a Robust Solution with Azure
 
Basic Cmake for Qt Users
Basic Cmake for Qt UsersBasic Cmake for Qt Users
Basic Cmake for Qt Users
 
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
 
Qt Installer Framework
Qt Installer FrameworkQt Installer Framework
Qt Installer Framework
 
Bridging the Gap Between Development and Regulatory Teams
Bridging the Gap Between Development and Regulatory TeamsBridging the Gap Between Development and Regulatory Teams
Bridging the Gap Between Development and Regulatory Teams
 
Overcome Hardware And Software Challenges - Medical Device Case Study
Overcome Hardware And Software Challenges - Medical Device Case StudyOvercome Hardware And Software Challenges - Medical Device Case Study
Overcome Hardware And Software Challenges - Medical Device Case Study
 
User Experience Design for IoT
User Experience Design for IoTUser Experience Design for IoT
User Experience Design for IoT
 
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfSoftware Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
 
5 Key Considerations at the Start of SaMD Development
5 Key Considerations at the Start of SaMD Development5 Key Considerations at the Start of SaMD Development
5 Key Considerations at the Start of SaMD Development
 

Recently uploaded

AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
Google
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
SOCRadar
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
Alina Yurenko
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
timtebeek1
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
DDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systemsDDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systems
Gerardo Pardo-Castellote
 
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdfRevolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
Undress Baby
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
Boni García
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptxLORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
lorraineandreiamcidl
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
mz5nrf0n
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
Rakesh Kumar R
 

Recently uploaded (20)

AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
DDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systemsDDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systems
 
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdfRevolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptxLORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
 

A Deep Dive into Secure Product Development Frameworks.pdf

  • 1. 1 Cybersecurity in Medical Devices Practical Advice for FDA’s 510(k) Secure Product Development Framework (SPDF)
  • 2. About Us – Complementary Partners 2 INTEGRITY Security Services (ISS) is a wholly owned subsidiary of Green Hills Software LLC., established to provide best practice embedded security products and services for the protection of smart devices in all industries from cyber security attacks. ISS's experience enables them to provide the world’s first Secure Platform for Medical (SPM) which dramatically reduces time and resources for medical device OEMs to meet Omnibus Act Section 3305 and FD & C Section 524B. BG Networks equips embedded engineers and penetration testers with easy-to-use software automation tools to streamline cybersecurity tasks including hardening, detection, and testing. BG Networks automation tools are designed to help with adherence to regulations from the FDA, NIST, ISO, and the EU. ICS supports our customers with software development, User experience design, platform and regulatory support to build next generation products. We provide a number of services focused on the medtech space including human factors engineering with a 62366 compliant process, hazard and risk analysis, 62304 compliant software development, and platform support including cybersecurity. Cybersecurity Services Cyber-Testing Detection Hardening Risk Management
  • 3. Speaker Introductions 3 David Sequino Founder & CEO Colin Duggan Founder & CEO Milton Yarberry Director of Medical Programs & Cybersecurity
  • 4. Topics for Upcoming Webinars In This Series Following are topics for upcoming webinars June 20th Secure-by-Design - Using Hardware and Software Protection for FDA Compliance Threat modeling and risk assessment – First step in risk management Security by design & defense in depth – Security control categories called for by the FDA Cyber-testing – What the FDA expects Cybersecurity documentation - eSTAR submissions Post Market Requirements – Fixing Vulnerabilities: SBOM – Updates - Monitoring Bolting On Security – Is there anything that can be done if I already have a design 4
  • 5. Agenda • What does FD&C Act, 524B, say about SPDF • What is a SPDF • Introduction to a SPDF foundation • Example of application of a SPDF • SPDF documents the FDA has asked for 5
  • 6. Questions For Us - A Question For You – Link to Previous Webinar Questions for us • Put your questions in the Q&A • For questions we don’t get to, we’ll write answers and make them available after A question for you How confident are you that your medical devices processes meet FDA’s SPDF expectations? • Please respond now • We’ll also ask at the end to see if your perspective has changed For reference here is the previous webinar in this series and the answers to questions asked • Link to previous webinar: https://www.ics.com/webinar-demand-practical-advice-fdas-510k-requirements • Link to previous Q&A: https://www.ics.com/questions-answers-fdas-510k-requirements-webinar • We’ll put both in the chat 6
  • 7. Primary goal of SPDF To manufacture and maintain safe and effective devices From a security standpoint, these are also trustworthy and resilient devices
  • 8. Sponsors Must • Submit a plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits • Provide a software bill of materials (SBOM) • Design, develop, and maintain processes to ensure device and related systems are cybersecure and provide postmarket updates and patches Effective March 29, 2023, the FD&C Act was amended to include section 524B "Ensuring Cybersecurity of Devices” that is introducing cybersecurity provisions for devices meeting the definition of a cyber device. Cyber device means a device that: 1. includes software … as a device or in a device; 2. has the ability to connect to the internet; and 3. contains any such technological characteristics … that could be vulnerable to cybersecurity threats YES, this includes devices only with a USB port Text 524B
  • 9. Slide 9 Example Safety & Security Verticals Slide 9 9 IEC 62443 UNR 155/6 ISO 21434 NIST 800-53 DO – 326A DO – 355 ARINC 667 ARINC 835 NIST 800-53 Many TCG Stds FD&C Section 524B EU MDR DO – 178B NIST 800-53 NIST 800-53
  • 10. Slide 10 • Patient Harm • Patient confidence in Health Delivery Organizations • Authenticity, which includes integrity • Authorization • Availability • Confidentiality • Secure and timely updatability and patchability Safety & Security go “hand in hand” Slide 10 Safety Security
  • 11. 11 Cybersecurity SPDF | Highest Level View Process Documents Image from flaticon.com The FDA won’t inspect your SPDF cybersecurity processes for 510(k) clearance… (but they would for a PMA or routine FDA inspection) … but you want to make sure your processes ensure safety and effectiveness And it results in documents that match expectations for the FDA’s review
  • 12. Device Lifecycle Must be Considered in Your SPDF Design/Develop/Test Manufacture Test/Provision/Release Support/Update/Decom Supply Chain Sites / Phases Assets Across Supply Chain Users Devices Digital Assets Sites Users Devices Digital Assets Sites Users Devices Digital Assets Sites Users Devices Digital Assets Sites
  • 13. 13 Elements that Make Up a SPDF | Many Ingredients Blended Together SPDF Inputs Cybersecurity Specific Medical Device SPDF Patient Safety & QMS Should Reference SPDF Docs
  • 14. Requirements Management SBOM Features Dev. Code Quality CI / CD Pre-Production Testing Post-Production Supporting End of Life Competence Development Threat Modeling Risk Assessment Implement cybersecurity features Static analysis, MISRA C, etc.. Generation CWE/CVE check Validation Pentesting Code Signing Release / Delivery Key Management Locking Hardware Vulnerability Monitoring Feedback / Incident Response Software Updates Diagnostic Tools Secure Decommissioning Software Development Lifecycle Security Development Lifecycle Legend 14 Secure Product Development Framework (SPDF) Based on IEC 81001-5-1
  • 15. Overview of IEC 81001-5-1 And AAMI SW96:2023 How They Can Be Used As a Foundation for SPDF
  • 16. Developed to Complement Your Existing QMS and Risk Processes QMS SPDF
  • 17. IEC 81001-5-1 | Overview – A Software SPDF IEC 81001-5: Finalized in December 2021 • Derived from an existing industrial cyber-security standard but adapted for medical devices • IEC 62443-4: Product Security Development Lifecycle Requirements IEC 81001-5 developed to be an extension to IEC 62304 • IEC 62304: Medical Device Software – Software Life Cycle Processes Recognized around the world • FDA Consensus standard • EU MDR is adopting • Required in Japan A couple of items to keep in mind • Does not exactly match FDA guidance and documentation required for pre market submission • Risk Management section is light-weight (reason to complement with AAMI SW:96)
  • 18. AAMI SW96: 2023 | Security Risk Management For Medical Devices • SW96:2023 is a full standard based on Technical Information Reports : TIR57 and TIR97 • Developed to work within the ISO 14971 risk framework • SW96:2023 has a broader definition of harm than ISO 14971 From ANSI/AAMI SW96:2023 Pg 27
  • 20. M Cybersecurity Process Secure Product Development Framework (SPDF) Design Controls Design Inputs Cyber ReqA Cyber ReqB Design outputs Cyber SpecX Cyber SpecY Cyber SpecZ Binaries Verification Tests Cyber TestX Cyber TestY Cyber TestZ Mitigations MitigationX MitigationY MitigationZ Threat Assessment ThreatX ThreatY ThreatZ Security Architecture Architecture Diagrams Component Analysis Connectivity definitions Use Case Views Code Known Abnormalities (test failures) Static Software Code Analysis Source SCA Binary SCA SBOM Triage & Justifications Vulnerability Report Penetration Testing (independent white hat) Post Market Vulnerability Management Plan Customer Transparency Plan Published Vulnerabilities Threat Mitigation Testing (vs. ReqA, ReqB) Vulnerability Testing (i.e. malformed input, fuzzing, etc.) Cybersecurity Assessment Security Risk Management Report (PMA - Annual) Security Risk Management Plan Security Risk Test Plan 20 SPDF composition Mitigations
  • 21. Example Ankle Worn Stroke Detection Data Acquisition AMPS from the MITRE / MDIC Medical Device Threat Modeling Hand Book Threat Modeling • We like data flow diagrams • They make it easy to see trust boundaries • Good start to 4 architectural views the FDA has mandated Example : Bluetooth • On the AMPS device • An important interface to keep secure! FDA Submission Document Architectural Views Guidance Section : V.B
  • 22. Threat Modeling STRIDE – Asset - Attack Path – Attack Feasibility 1) STRIDE 2) Asset 3) Attack Path 4) Score FDA Submission Document Threat Model Guidance Section : V.A, V.B, Appendix 1,2 1. Attacker pairs via bluetooth to AMPs device 2. Attacker reverse engineers code update API 3. Attacker uses API to install mallicious code <= two weeks Expert Restricted Easy Standard 12 Medium-High Attack Path Window of Opportunity Equipment Difficulty Score (lower means easier to hack) Attack Potential Knowledge of TOE Elapsed Time Expertise Overall Attack Potential Score High 0 Medium-High 10 Medium 14 Low 20 Very low 25 Control plane code execution Wrong data provided to Bluetooth app from AMPS device Asset Name Threat Scenario
  • 23. Impact - Risk Rating - Requirements (Inputs) Asset Name Damage Scenario Adverse Consequence Control plane code execution Wrong data provided to Bluetooth app from AMPS device 1) Incorrect data provided to doctor to determine patient's risk of stroke 2) Manufacturer could be legally liable 3) AMPS device functionaliy impaired Reduce 1) Implement authentication scheme for Bluetooth access Goal Goal 1: Bluetooth access requires authentication Requirement 1: Use Bluetooth LE Secure Connections based on Elliptic Curve Diffie Hellman challenge-response. Requires screen and yes/no buttons for user interface Cybersecurity Goal(s) or Claim Goals or Claim Summary Goal Requirement(s) Risk Treatment Decision Risk Treatment Details 5) Consequence 6) Impact 7) Risk Rating 8) Requirement FDA Submission Document Cybersecurity Risk Assessment Guidance Section : V.A FDA Submission Document Requirements Guidance Section : V.B.1, App.1 Safety Financial Operational Privacy Moderate Major Major Moderate Major S: Patient could be at risk of a stroke but is not treated F: If could be proven that the wrong data is being sent the medical device manufacturer could be liable O: Device is not functioning correctly P: Vital signs and stroke related data stolen Impact Categories Overall Impact Impact Justification Attack Feasibility Rating Very low Low Medium Medium-High High Impact Rating Severe 2 3 4 5 5 Major 1 2 3 4 5 Moderate 1 2 2 3 4 Negligible 1 1 1 1 2 Major Medium-High 4 Impact Rating Attack Feasability Rating Risk Value (1 - 5)
  • 24. SBOM FDA Submission Document SBOM Guidance Section : V.A.4, VI.A FDA Submission Document Vulnerability Assessment and Software Support Guidance Section : V.A.4 Common formats? • SPDX (older, licensing focus) • CycloneDX (lightweight, open source focus) • SWID (software tracking focus) What’s in it? • Types of info: • SW Component data fields • SBOM Author • Automation fields How created? • OS + commercial SW + open source • From build system • Component analysis tools • Vulnerability scanning tools • Simpler with managed packages How used? • Lookup in National Vulnerability Databases – (nvd.nist.gov/vuln/search) • Automation tools intended for this purpose JSON YAML Tag, Value
  • 25. Cyber-Testing - Verification of Outputs Four Types of Testing Called for by the FDA FDA Submission Document Testing Guidance Section : V.C TYPES OF TEST DESCRIPTION BLUETOOTH EXAMPLE Security Requirements Testing • Verification of input/requirement for security features • Testing of functionality including boundary cases • Positive and negative tests of Elliptic Curve Diffie Helman challenge-response • Verify that programming API and device characteristics are available only after auth. Threat Mitigation Testing • Validation/system level testing • Tie back to threat model • Consider global system, multi-patient harm, patchability • Test security of keys from brute force attacks • Consider break-one-break-them-all scenarios if unique keys per device not specified • Test for authentication bypass (e.g. pairing accepted without correct response) Vulnerability Testing • Testing for malformed inputs • Unexpected inputs • Vulnerability Chaining • Fuzzing, scanning, encryption check, static & dynamic code analysis • NIST NVD and CISA Known Exploited Vulnerabilities Catalog for Bluetooth vulns. using CPE. Penetration Testing • Testing done by personnel who have not worked on the design • White box testing recommended : more efficient & accepted by FDA • One week of pentesting on Bluetooth interfaces • MITM attacks, key extraction from app, key extraction for AMPS device (e.g., JTAG, USB, UART), malformed inputs, DoS, etc…
  • 26. Cybersecurity Risk Management Report Risk Management Report Vulnerability/Threat Mitigation/Penetration Testing SBOM Threat Modeling Threat Intelligence (e.g., CISA Vulnerability Catalog) FDA Submission Document Cybersecurity Risk Management Report Guidance Section : V, VI.B FDA Submission Document Unresolved Anomaly Assessment Guidance Section : V.A.5 FDA Submission Document Traceability Guidance Section : V.A, V.B, V.C, VI.A Overview • 3 Report Descriptions • FDA Submission Document: V, VI.B • TIR57, sec. 8. • SW96 Appendix C • Terms and concepts from the three sources are slightly different • Summary and References • Risk Management Report should succinctly SUMMARIZE the risk management process followed, and details of the outcome • Full analysis, assessments, models are REFERENCED in report Report Contents • System Description • Device Intended Use • Operating Environment • Threat Model • Security Risk Assessment • SBOM • Vulnerability Assessment • Unresolved Anomalies Assessment • Risk evaluation methods and processes • Residual Risk conclusions • Risk Mitigation activities • Component support information • Traceability: threat model / risk assessment / SBOM / testing documentation
  • 27. Labeling FDA Submission Document Labeling Guidance Section : VI.A Labeling as applied to cybersecurity • How to securely configure/set secure passwords • Document risks that are transferred • Security information of IT cybersecurity staff • Device identification on a network and how to track • Logging and attack detection information • Instructions to obtain software updates • Date of end of life support • How a device under attack will notify user • Protections against catastrophic events Labeling for example • How to set password in BT phone app • No risks transferred – all BT risks mitigated • Security information of IT cybersecurity staff • Unique device IDs tracked through app to cloud • IDS alerts provided on detection of attacks • URL on company website for software updates • End of life date negotiated between medical device manufacturer and HDO Labeling for user to help manage security risks - “Manufacturers should provide or make available SBOM information to users on a continuous basis” - Online portal to publish SBOM information, vulnerability information. Updated. Accurate.
  • 28. Post Market FDA Submission Document Cybersecurity Management Plans Guidance Section : VI.B FDA Submission Document Measures and Metrics Guidance Section : V.A.6 Cybersecurity Management Plans • Personnel responsible • Post market vulnerability monitor plan and sources of threat intel • Update process and time to patch • Vulnerability disclosure to manufacturer & communication to HDOs • Communicate through Online portal Measures & Metrics • Percentage of vulnerabilities that are patched • Time from vulnerability identification to patching • Duration from when a patch is available to implementation in devices deployed
  • 29. One Result of your SPDF Documentation for FDA Pre-Market Submission – Appendix 4