OWASP Global AppSec Lisbon 2024

Cyber security for medical devices has received a lot of attention very early and quite naturally, since it can literally be a matter of life or death. Regulatory bodies all over the world have imposed strict cyber security requirements that cover the entire lifecycle of a medical device. Such regulations include cyber security guidance by the FDA in the US, and the Medical Device Regulation in the EU (EU MDR). In this presentation we will provide a high level overview of these requirements, and focus on the topic of traceability. Traceability was first introduced as a requirement by FDA almost 20 years ago. It is a systematic way to link together product requirements, design, and testing, along with risk management. It connects cyber security assessments, threat modeling, security tests and  SBOMs, covering the entire software supply chain. Subsequently, we will present a methodology for product security traceability, that we have developed after performing numerous security assessments on medical devices. We believe that any product, not just medical devices, can benefit from this approach. Our methodology helps product teams to focus on pragmatic, business, and product-related risks, rather than just technical, application vulnerabilities. Overall, we will highlight how lessons learned from regulatory compliance requirements and cyber security best practices for medical devices can be adopted from product security teams.