Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO
Published August 2025 · Last reviewed May 2026
The Med Device Cyber Podcast · August 31, 2025 This episode of The Med Device Cyber Podcast delves into the critical aspects of cybersecurity testing for medical devices, a topic of paramount importance for product security teams, regulatory leads, and engineers. Hosts Trevor Slattery and Christian Espinosa unravel the distinctions between vulnerability testing and penetration testing, explaining how the former identifies potential weaknesses while the latter actively exploits them to uncover deeper vulnerabilities. They explore various testing methodologies, including static and dynamic code analysis, software composition analysis (SCA) for generating Software Bills of Materials (SBOMs), and the nuances of black, gray, and white box penetration testing. The discussion highlights the FDA's expectations for closed-box and white-box testing, emphasizing the need to consider every entry point on a device as in-scope for security assessments. The hosts also shed light on fuzz testing for identifying zero-day vulnerabilities and the importance of security requirement testing to ensure secure functionality. The episode concludes with a strong recommendation for manufacturers to engage experienced third-party partners for comprehensive and FDA-compliant penetration testing, particularly those with expertise in hardware testing. This is crucial for navigating the strict documentation requirements and unique challenges of medical device cybersecurity.
Key Takeaways
- Vulnerability testing identifies potential weaknesses, while penetration testing actively exploits those weaknesses to uncover deeper vulnerabilities within a system.
- Software composition analysis (SCA) is crucial for generating a Software Bill of Materials (SBOM) to identify risks associated with third-party components and potential 'software of unknown provenance' (SOUP).
- White box penetration testing, where testers have full access to source code and documentation, is the most comprehensive approach for medical devices, though black box testing also offers valuable insights into authentic attack scenarios.
- The FDA emphasizes abuse case testing, requiring manufacturers to consider how attackers might misuse device interfaces and functionalities, even those seemingly out of scope.
- Fuzz testing is an effective method for discovering zero-day vulnerabilities by intentionally sending malformed data to identify unexpected application behaviors and memory vulnerabilities.
- Security requirement testing is essential for verifying that each functional requirement on a medical device adheres to defined security requirements, ensuring secure operation.
- Medical device manufacturers should engage third-party penetration testing partners with specialized expertise in hardware testing and FDA regulatory requirements to ensure comprehensive and compliant security assessments.
Listen on mdcpodcast.com · Watch on YouTube
Listen to this episode
Want help applying this to your own device program?
Blue Goat Cyber is a specialist medical device cybersecurity firm: 250+ FDA submissions, zero rejections. If anything in this conversation hit close to home, book a 30-minute strategy session - no cost, no obligation.