What's Bugging Cigital on Security Analysis of Medical Devices

Bug finding?  (Image licensed with permission.)

Earlier this summer, Gary McGraw and Chandu Ketkar wrote up a refreshingly analytic article on their experiences in analyzing the security of medical devices. Chandu presented more detailed results at the Archimedes Workshop on Medical Device Security. (slides available to institutional members.) It's natural for humans to focus on inputs or outputs that are easily counted (e.g., bugs) rather than less easily countable things such as deeper analysis of causation. Such outcomes often require expert engineers to grok the findings and recommendations. Don't get me wrong: bug finding is an essential ingredient for security. And finding oodles of bugs can help in tangible ways if management needs convincing. However, at the end of the day there are still basic engineering issues one must solve to actionably improve medical device security.

Gary and Chandu talk about the typical architectural flaws they find in medical devices. Want some meaningful improvements in security architecture? Read on.