The FDA is developing a cybersecurity laboratory in which a fuzz testing capability is to be integrated. The FDA has deemed Codenomicon Defensics one of the best fuzz-testing solutions on the market since it provides both ongoing support and top quality output reports.
"This is excellent news for the medical device industry", said Codenomicon CEO David Chartier. "Cybersecurity for medical devices has been lacking in standardized testing procedures, and the FDA introducing fuzz testing capabilities is big step forward", he concluded.
The FDA states that software errors, or bugs, often create vulnerabilities because they cause software to behave differently than intended. The software might crash, making it unavailable, consume all available resources, or cause other unpredictable consequences. In the worst case scenario, attackers might be able to trigger the bug in a special way such that they can run their own commands in a system.
Devices used in healthcare increasingly rely on software, and therefore the software quality and reliability must be high. Some bugs are exposed and fixed during the testing phase of a software development process. The bugs that slip past the testing phase without being found or fixed are unknown vulnerabilities which can be triggered after the product release, sometimes with catastrophic results.
In healthcare, devices that use e.g. Bluetooth or Wi-Fi for connecting to computers may be vulnerable. These devices include heart rate monitors, insulin pumps, pacemakers and possibly even surgery robots. Their software robustness and quality is therefore paramount, as human lives are at stake.
The best way to discover unknown vulnerabilities is through fuzzing, a negative software testing method that feeds a program, device, or system with malformed and unexpected input data in order to find defects. When software is fuzz tested proactively, vulnerabilities can be found and fixed before deployment, resulting in more secure and robust, high quality software. Fuzz tested products have considerably fewer critical vulnerabilities that need to be patched. This means less cost from patch development and release, less product recalls, and ultimately safer medical devices.
Read more about Codenomicon Defensics for Medical Devices
The FDA Cybersecurity laboratory stories elsewhere:
• The FDA solicitation
• The Regulatory Affairs Professionals Society news
• The Association for the Advancement of Medical Instrumentation news
(In U.S.A.) Mike Ahmadi, CISSP, Global Director, Medical Security, Codenomicon Ltd.
(In Finland) Antti Kiiveri, Head of Marketing, Codenomicon Oy
About Codenomicon Ltd
Codenomicon (codenomicon.com) finds security vulnerabilities others have not found. Companies rely on Codenomicon's solutions to discover zero-day vulnerabilities that cause Denial of Service (DoS) and data leakage, which are the unknown vulnerabilities Advanced Persistent Threats (APTs) use to break into systems. Codenomicon's customers include Alcatel-Lucent, AT&T, Cisco Systems, Microsoft, Motorola, Google, Verizon, Nokia Siemens Networks, Huawei, and T-Systems. Codenomicon is known for Defensics software for security stress-testing of software, firmware and hardware; and Clarified Situation Awareness solution for Computer Emergency Response Teams (CERTs) and Network Operations Centers (NOCs), and Fuzz-o-Matic application testing-as-a-service.